Office (OLE) / .DOC malware analysis — malicious · 963c58c06d82485d

MALICIOUS

Office (OLE) / .DOC

86.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: bb2ab4f1724a4c00a22fc12d5dfeabc0 SHA-1: 9724e7b47dae532e01c96d14b695d8855bf6161f SHA-256: 963c58c06d82485dda459c85d0f4ee56bf255c129edc35a46e4e62e80d22df2f

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, commonly used by malware to execute payloads. The large slack space and embedded executable are strong indicators of a dropper.

Heuristics 5

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,480 bytes but its declared streams total only 21,151 bytes — 67,329 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded PE executable high OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable

Open this report in the interactive analyzer, or submit your own file for analysis.