Office (OLE) / .DOC malware analysis — malicious · 89bdacd72734d18b

MALICIOUS

Office (OLE) / .DOC

75.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 71f3deb3ebc2bb536e7e174c53e74cf7 SHA-1: 803472349f4c5b0b1c06f4b5979f7de2f883bcad SHA-256: 89bdacd72734d18b94dfca2f53db80cc4530d976164ba38fb8731f5221b8fcda

120 Risk Score

Malware Insights

MITRE ATT&CK

T1218 System Binary Proxy Execution T1059 Command and Scripting Interpreter

The OLE document exhibits a large slack space anomaly, suggesting potential obfuscation or embedded malicious content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, commonly employed by malware to load and execute additional code. While no specific document body content or scripts were extracted, the API calls strongly suggest the file's purpose is to download and execute a second-stage payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 77,728 bytes but its declared streams total only 21,151 bytes — 56,577 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.