Office (OLE) / .AMW malware analysis — malicious · 920ed0c2360fd4b4

MALICIOUS

Office (OLE) / .AMW

191.9 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 91afb40d761ce608c5b1d93ded15fd4d SHA-1: 5c6e6e0e3e27c4b7c6e655b8a15a26dd1bdaba6e SHA-256: 920ed0c2360fd4b4f3db2b1bbd0f4f14f8936509bf3ec968ab4b80241562ff36

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32

The sample exhibits a high OLE slack anomaly, suggesting obfuscation or embedded malicious content. High-severity heuristics indicate the use of Windows API functions commonly associated with shellcode execution and dynamic library loading (VirtualAlloc, LoadLibrary, GetProcAddress). This points towards an attempt to download and execute a second-stage payload, likely exploiting a vulnerability within the Office document itself.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 196,552 bytes but its declared streams total only 94,801 bytes — 101,751 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.