Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 96ba94294ec20a48…

MALICIOUS

Office (OLE) / .DOC

62.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 5e244883ee0865c9ab7f32c5ad977c6a SHA-1: 3bc9a8d179511b86d8056fa53c30251752e1c391 SHA-256: 96ba94294ec20a48c0b070860d0594d906377f090bdede18910cf4d274409b5c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is a malicious OLE document with a high slack anomaly, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or delivery mechanism.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 64,160 bytes but its declared streams total only 21,151 bytes — 43,009 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.