Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 95e80f5706f05813…

MALICIOUS

Office (OLE) / .DOC

1.17 MB Created: 2004-10-15 14:28:00 Authoring application: Microsoft Word 8.0
MD5: 712fa57329d38316237a6a4b6c35454a SHA-1: 37cdff4401e6d6fb3ec2c334d7997fe6296b84ec SHA-256: 95e80f5706f058132113eb9b3904d9cd1314ce17358c7945fe65c8a3a722a36d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The file is detected as Win.Trojan.Updown-1 by ClamAV. Static analysis revealed references to LoadLibrary and GetProcAddress APIs, suggesting dynamic code loading or execution. The OLE document structure shows a significant amount of slack space, which is often used to hide malicious payloads. The document body presents a detailed business proposal for medical equipment, likely a social engineering lure to encourage user interaction.

Heuristics 4

  • ClamAV: Win.Trojan.Updown-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Updown-1
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,225,728 bytes but its declared streams total only 668,136 bytes — 557,592 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
7e211cca1522282eed5b33d915def5a8b93ab43d461407059c80ff970bf6a9c9		 ole-package OLE Ole10Native stream: ObjectPool/_1082197927/Ole10Native 119204 bytes
ole10native_01.bin
7bc37e878988ce0c9c0162339d3409e0e0337fb10597fb7df8f7b10c2a343dea		 ole-package OLE Ole10Native stream: ObjectPool/_1082197929/Ole10Native 130180 bytes
ole10native_02.bin
cc36ebb9a10c6eb7afcaca844caeb9727a67bb22c3b9c7a540dfb5cacde34e37		 ole-package OLE Ole10Native stream: ObjectPool/_1088268203/Ole10Native 9028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.