Office (OLE) / .DOC malware analysis — malicious · 7f2cf557d25e3fc4

MALICIOUS

Office (OLE) / .DOC

151.5 KB

MD5: 783f67dbee4cceffaacbf3145136d322 SHA-1: cc73c47feae0149ba49579de82ad75a8977e9c70 SHA-256: 7f2cf557d25e3fc40470a0662c0dc56a673eb361ac6ac3d63387189f021c5d7c

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055.012 Process Hollowing

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of Windows API functions like VirtualAlloc, LoadLibrary, and GetProcAddress, commonly employed by malware to allocate memory and load dynamic link libraries for execution. This suggests the document is designed to download and execute a second-stage payload.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 155,136 bytes but its declared streams total only 31,351 bytes — 123,785 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.