Office (OLE) / .DOC malware analysis — malicious · 899205fb85965d11

MALICIOUS

Office (OLE) / .DOC

185.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 23fef93e6e6971ac1ed7531d515bdb73 SHA-1: 5c2527ae766fa94ae261e10f3d0608b7b79fca56 SHA-256: 899205fb85965d116a708b65296ca36f7dee8b84c25082aaa746270723534429

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is a malicious OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, common in malware for loading and resolving functions from dynamic-link libraries. This suggests the document is designed to execute arbitrary code, likely by leveraging a vulnerability to download and run a secondary payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 189,440 bytes but its declared streams total only 94,801 bytes — 94,639 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.