Office (OLE) / .DOC malware analysis — malicious · 784bab0447c8c59a

MALICIOUS

Office (OLE) / .DOC

68.6 KB

MD5: 3658e3126416f46fa94038426d3ef1b1 SHA-1: b3a0dd9fd6f7095cee94b23d49f36af8a4608fcb SHA-256: 784bab0447c8c59abcc853d53218eaf3b154707818f1f08f2c77b5a74123c449

140 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution T1071 Application Layer Protocol

The sample is a malicious OLE document exhibiting a large slack anomaly, indicating hidden or obfuscated content. High-severity heuristics indicate the use of Windows API functions commonly associated with loading and executing code, such as VirtualProtect, LoadLibrary, and GetProcAddress. The obfuscated document body further supports the likelihood of malicious intent, likely to download and execute a second-stage payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 70,208 bytes but its declared streams total only 8,934 bytes — 61,274 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.