Office (OLE) / .DOC malware analysis — malicious · 8f100cf3cae0439a

MALICIOUS

Office (OLE) / .DOC

58.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: b5ef2691e85d5283ae62240837f1d91a SHA-1: 22c9f3260f743ff5e4e01c49ca4dc0245483116e SHA-256: 8f100cf3cae0439afd312f9ad99d23577a9a056c43b8bb462bb5ec82a947783e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell

The sample is a malicious OLE document containing a reference to the CreateProcess API, indicating an attempt to launch an external process. The embedded URL, while seemingly benign, is suspicious in the context of a malicious document. The large slack space in the OLE structure is also a common characteristic of packed or obfuscated malicious documents. No scripts were extracted, limiting the ability to determine the exact payload or persistence mechanism.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 60,064 bytes but its declared streams total only 21,151 bytes — 38,913 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.savetibet.org/files/documents/Report_on_Tibet_Negotiations_2010.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.