Office (OLE) / .DOC malware analysis — malicious · 8afc7b7ab8dafebd

MALICIOUS

Office (OLE) / .DOC

246.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 5af9d8df432ae3360211f54c2854d582 SHA-1: e45cf83b4571b7c799eee6da381e7e554ff4f44e SHA-256: 8afc7b7ab8dafebd74b7af3b4e4df9e8fb0f63c2da2b8cb9a380a3488ea22842

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, common for dynamic code loading and execution. The document body is heavily obfuscated with non-printable characters, preventing a clear understanding of its user-facing lure. The combination of these factors suggests the document is designed to exploit a vulnerability and download or execute a secondary payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 252,416 bytes but its declared streams total only 94,801 bytes — 157,615 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.