Office (OLE) / .DOC malware analysis — malicious · 8f235b8acdc6858e

MALICIOUS

Office (OLE) / .DOC

179.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 1cbd55e9b795c1c4622e8902a11a93d1 SHA-1: 33c1ea78b65cb99e316f79a8278c1bb7d176cbcc SHA-256: 8f235b8acdc6858ed7daf15023917ff4db924678c395ccc8f65a3482802ec7c8

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1218.011 System Binary Proxy Execution: Rundll32 T1055 Process Injection T1055.012 Process Injection: Process Hollowing

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, LoadLibrary, and GetProcAddress, indicating dynamic code execution. A suspicious cmd.exe invocation with an execution flag was also detected. The OLE slack anomaly suggests potential obfuscation or appended data. These indicators collectively point to a malicious document designed to execute arbitrary code, likely for downloading and running a second-stage payload.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 183,296 bytes but its declared streams total only 94,801 bytes — 88,495 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.