Office (OLE) / .DOC malware analysis — malicious · 8c65d6edff098608

MALICIOUS

Office (OLE) / .DOC

228.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 1d188d4c0367ab7edade0c8c75bc5fa4 SHA-1: 88216b8915b36c73fa692a769e46e01cadeeaa5f SHA-256: 8c65d6edff098608c965bf60374a06a0186ca5dff729f41ff5f992e5e8126d08

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1055.012 Process Hollowing T1055.001 Process Injection

The sample is a malicious OLE document with a large slack space anomaly, indicating potential obfuscation or embedded content. High-severity heuristics indicate the presence of PEB access and API hash resolution, commonly used by malware to dynamically resolve API functions like LoadLibrary and GetProcAddress. These techniques suggest the document is designed to load and execute arbitrary code, likely a second-stage payload. The document body contains heavily garbled text, providing no clear user-facing lure.

Heuristics 5

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 233,472 bytes but its declared streams total only 94,801 bytes — 138,671 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.