Office (OLE) / .DOC malware analysis — malicious · 8fb7ce7ec249d2ed

MALICIOUS

Office (OLE) / .DOC

205.2 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 10f17f7123b892f511d24e11982ef587 SHA-1: 355d1871c99f98e6cc8cc4a683e80df866a4360c SHA-256: 8fb7ce7ec249d2ed507bc59cdec64584a49b8f6ed33881d9af1f271df29df4cb

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1027 Obfuscated Files or Information

The presence of LoadLibrary and GetProcAddress API calls, along with a significant slack space anomaly in the OLE structure, indicates the document likely contains embedded shellcode or exploits. While no specific document body text or scripts were extracted, these indicators suggest the file is designed to download and execute a second-stage payload, a common technique for unknown malware families.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 210,176 bytes but its declared streams total only 94,801 bytes — 115,375 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.