Office (OLE) / .AMW malware analysis — malicious · 81749ddfabf600fc

MALICIOUS

Office (OLE) / .AMW

178.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 679e6574c736f79790257b3b4656afd1 SHA-1: af49b1b01dff55f5cc8dee01b24139ef74826ec2 SHA-256: 81749ddfabf600fc13ecce5180b71f5208adb6dd8a4d416d85ca155ba7dca7a2

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, and cmd.exe, indicating an attempt to execute commands. The presence of VirtualAlloc and LoadLibrary suggests dynamic code loading. The OLE Slack Anomaly indicates a potentially packed or obfuscated payload within the document. The document body is heavily obfuscated and unreadable, providing no direct clues to the lure.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 182,280 bytes but its declared streams total only 94,801 bytes — 87,479 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.