Office (OLE) / .DOC malware analysis — malicious · 813301538e2efeea

MALICIOUS

Office (OLE) / .DOC

75.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 54174b0eedb64344a57611b5cab723b0 SHA-1: a99cab8f72e1cbda18ca1efd495dcd851edf1bff SHA-256: 813301538e2efeea33d7c01c5bf255abe4ea3d0169dd69d279874de133050dc8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OLE document exhibits a significant slack space anomaly (73%), which is often indicative of a packed or obfuscated payload. Heuristics also indicate the presence of APIs commonly used for memory manipulation and loading external code, such as VirtualAlloc, LoadLibrary, and GetProcAddress. While no specific malicious URLs or scripts were extracted, the structural anomalies and API calls suggest the file's primary purpose is likely to download and execute a secondary-stage payload.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 77,728 bytes but its declared streams total only 21,151 bytes — 56,577 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.