Office (OLE) / .DOC malware analysis — malicious · 90014f1552723311

MALICIOUS

Office (OLE) / .DOC

1014.1 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word

MD5: 5d0be7c183a55653de210229e9cc8ebe SHA-1: 8be875c6f4d7fa848f5c89ff1b47a961ff4a3416 SHA-256: 90014f1552723311e504b92740f7461cc2069e2c63b71ddc690b11efe2b6e94e

442 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.005 Visual Basic T1105 Ingress Tool Transfer

The file is a malicious OLE document containing an embedded SWF object, which is a known vector for exploits. Heuristics indicate the presence of a NOP sled, API calls related to process creation and memory allocation (CreateProcess, VirtualAlloc, LoadLibrary, GetProcAddress), and a large appended payload. ClamAV also detected it as Win.Exploit.MSWord-6. While VBA macros could not be extracted, the presence of an XLM macro sheet and the overall structure suggest an exploit delivery mechanism.

Heuristics 13

Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT

Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (5). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF

Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
ClamAV: Win.Exploit.MSWord-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.MSWord-6
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,038,434 bytes but its declared streams total only 26,783 bytes — 1,011,651 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.