Office (OLE) / .DOC malware analysis — malicious · 88cf6f4a79fa8880

MALICIOUS

Office (OLE) / .DOC

137.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 7a67264aac3d5ad6140e1ec5b92e0c85 SHA-1: af0a3bb554bc7d7a6f922732dbd1f597af6ea867 SHA-256: 88cf6f4a79fa8880af86c8d17f98b95347c38bbeb738307816a72d6b59db2c04

220 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The presence of multiple high-severity heuristics related to process creation (CreateProcess, ShellExecute), memory allocation (VirtualAlloc), and dynamic library loading (LoadLibrary, GetProcAddress) strongly suggests the document contains malicious code. The OLE slack anomaly further indicates potential obfuscation or embedded malicious content. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the API calls point towards arbitrary code execution.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 141,216 bytes but its declared streams total only 21,151 bytes — 120,065 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.