Office (OLE) / .DOC malware analysis — malicious · 77fde8c9a6a2a0ed

MALICIOUS

Office (OLE) / .DOC

129.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: f7dff3ca90d8cb415ac4f4e1f2d68ac0 SHA-1: 222c3eea23a756d8353ec742d0698c434d0d3f90 SHA-256: 77fde8c9a6a2a0ed28199b1216304e2abaded563f84817b28d397b17171cec4d

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document that exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of LoadLibrary and GetProcAddress API calls, commonly used by malware to load and execute code. While no specific document body or script content is available for analysis, the combination of these indicators strongly suggests an exploit targeting client execution, likely involving a Visual Basic macro to facilitate the download and execution of a secondary payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 132,560 bytes but its declared streams total only 21,151 bytes — 111,409 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.