Office (OLE) / .DOC malware analysis — malicious · 900bb2ac3f5ab4a1

MALICIOUS

Office (OLE) / .DOC

135.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: fd22e4cdcb05b06bf3a384d60f74127f SHA-1: d82e11501d9fe718ed3050cb2adec34be11a6e52 SHA-256: 900bb2ac3f5ab4a1b731e9a94ac4d308376fa23058483b6701a6b9612f523384

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of Windows API functions like VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress, which are commonly used by malware to allocate memory and load dynamic libraries. An embedded URL was also detected. These factors suggest the document is likely a malicious loader or dropper, though the specific family is not identifiable from the provided evidence.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 138,684 bytes but its declared streams total only 21,151 bytes — 117,533 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.