Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 8eb5931b61660c2a…

MALICIOUS

Office (OLE) / .DOC

59.5 KB Created: 2005-05-04 05:46:00 Authoring application: Microsoft Word 9.0
MD5: 7b36e1bb5e945fb9ff05674b850d6e0c SHA-1: 8e28ca6ee99785391657ade7682512299ce55d85 SHA-256: 8eb5931b61660c2a3df1ebabebefe8a4654635b777e84f6768d21ffba7a28d35
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The OLE document contains an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. This suggests the document is a dropper or container for a malicious payload. The presence of a NOP sled and a push-string-call heuristic further indicate shellcode or exploit activity within the document. The document body text is nonsensical and likely obfuscated or placeholder content.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 60,944 bytes but its declared streams total only 16,490 bytes — 44,454 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • x86 push-string-call medium SC_PUSH_STRING
    Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004b00.exe
6652fed97617e487ec02d18e4020c80325300cb55dc162e06ecadb2d89905775		 embedded-pe Office MZ+PE at offset 0x4B00 41744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.