Office (OLE) / .DOC malware analysis — malicious · 9595a31bdc2de347

MALICIOUS

Office (OLE) / .DOC

326.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 5a3c028d66ad62d148c417d365dc6c8d SHA-1: 6efb439a6cff1d04f0feea8ccd5c8cbf6e04dc80 SHA-256: 9595a31bdc2de3471cd6a12ee8ecbed746f7f457e2ff19ade9813f684b946d5a

300 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1218 System Binary Proxy Execution T1059.001 PowerShell

The sample exhibits high-confidence heuristics for WinExec, CreateProcess, LoadLibrary, and GetProcAddress, indicating dynamic code execution. The presence of a 'Visible LOLBin command execution instruction' heuristic, along with references to cmd.exe, strongly suggests the document is designed to launch malicious commands. The embedded URLs likely serve as sources for downloading and executing further payloads. No scripts were extracted from this sample, limiting deeper analysis of specific execution chains.

Heuristics 9

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 334,336 bytes but its declared streams total only 94,801 bytes — 239,535 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://gundogar.org
- http://www.turkmenistan.gov.tm/_en/?idr=4&id=100125a
- http://www.chrono-tm.org/en/?id=1273
- http://www.gundogar.org/?022500000000000000011062010010000
- http://www.gundogar.org/?022500000000000000011062010010000#9002
- http://ferghana.ru/2/2/10
- http://www.turkmenistan.ru/?page_id=3&lang_id=en&elem_id=16241&type=event&sort=date_desc
- http://ferghana.ru
- http://afghanistan.ru/2/1/10
- http://www.afghanistan.ru/doc/16541.html
- http://afghanistan.ru
- http://www.chrono-tm.org/en/?id=1276
- http://www.chrono-tm.org/?id=2416
- http://www.forum18.org/Archive.php?article_id=1403
- http://forum18.org
- http://www.forum18.org/Archive.php?article_id=1404
- https://mail.osi.hu/exchweb/bin/redir.asp?URL=http://www.eurasianet.org/resource/uzbekistan/index.shtml
- http://www.itar-tass.com/eng/level2.html?NewsID=14754602&PageNum=0
- http://www.eurasianet.org/departments/insight/articles/eav020310a.shtml
- http://eurasianet.org/1/29/10
- http://www.eurasianet.org/departments/news/articles/eav012910c.shtml
- http://www.wam.ae/servlet/Satellite?c=WamLocEnews&cid=1264322513066&pagename=WAM%2FWAM_E_Layout&parent=Query&parentid=1135099399852
- http://turkmenistan.usembassy.gov/2010_press_releases.html
- http://www2.ohchr.org/english/bodies/hrc/hrcs_future.htm
- http://www.eurasianet.org/resource/uzbekistan/index.shtml
- http://www.soros.org/
- http://www.eurasianet.org/
- http://www.eurasianet.org
- http://www.eurasianet.org/resource/turkmenistan/index.shtml
- http://www.eurasianet.org/resource/turkmenistan/newsarchive/

Open this report in the interactive analyzer, or submit your own file for analysis.