Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7eb673ce24357144…

MALICIOUS

Office (OLE) / .DOC

2.13 MB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 6575c746ec5e9a81fbbf79dfee727f7f SHA-1: e62ec33fbd1387556215285a208627fc40910ec7 SHA-256: 7eb673ce24357144e8720d3775fbde02ea697b588869a04d0dad4aacd310b3a1
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Signed Binary Proxy Execution: Rundll32 T1071.001 Web Protocols: Web Protocols T1105 Ingress Tool Transfer

The sample exhibits high-confidence heuristic firings related to PEB access and API hash resolution, indicating sophisticated evasion techniques. References to VirtualAlloc, LoadLibrary, and GetProcAddress suggest dynamic code loading and execution. The large OLE slack anomaly further points to a packed or obfuscated payload. While no specific URLs or scripts were extracted, these indicators strongly suggest the document is designed to download and execute a secondary malicious payload, likely leveraging system APIs for its operations.

Heuristics 7

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 2,235,904 bytes but its declared streams total only 94,801 bytes — 2,141,103 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.npdc.navy.mil/cennavintel/nmitc/
    • https://secureapp2.hqda.pentagon.mil/perdiem/
    • https://www.marinenet.usmc.mil/MarineNet/
    • http://www.apple.com/DTDs/PropertyList-1.0.dtd
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.