Office (OLE) / .DOC malware analysis — malicious · 99553dd0089921dc

MALICIOUS

Office (OLE) / .DOC

169.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 1f9d8f59687545470cf8d292aba72750 SHA-1: 770b00d6949906784cabcf0fcccef61ad9c2db5a SHA-256: 99553dd0089921dc8bb44d505e375b789821df882542bab3f5cef8963175c529

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The OLE document exhibits a significant slack space anomaly and contains an embedded PE executable. Heuristics indicate the use of APIs like VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the embedded executable is likely staged for execution. The document body is heavily obfuscated and does not provide clear user-facing content, further supporting a malicious intent to deliver a payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 173,912 bytes but its declared streams total only 94,801 bytes — 79,111 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0001c800.exe` `ce5d927240b74a38a9cfe9f18d2c439ee2a5156c15a637a28f2ee53fdef8b8f7`	embedded-pe	Office MZ+PE at offset 0x1C800	57176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.