Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7f887bc8451f8ebd…

MALICIOUS

Office (OLE) / .DOC

65.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: a93d234e5744d11a9fbb3cde3f86513e SHA-1: 2e3c2cd588040549236bc5cb61f0c693c7b36645 SHA-256: 7f887bc8451f8ebd54c150ffe88728f41ee6df39209f8694359f5dccf2ede3fc
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is a malicious OLE document with a high slack anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic firing for CreateProcess API suggests the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or delivery mechanism.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 67,232 bytes but its declared streams total only 21,151 bytes — 46,081 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.