Office (OLE) / .DOC malware analysis — malicious · 9b279ec3a4a7d724

MALICIOUS

Office (OLE) / .DOC

185.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 432d13b61c05a27f95969d288f5b6cf2 SHA-1: 648ba236b295ed3c9243d87df5ecc744effd9f4a SHA-256: 9b279ec3a4a7d724b5c6994f916868792faa055f1ab8b6385939a06fcdb7639a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The sample is a malicious OLE document exhibiting a large slack anomaly, indicating hidden or packed content. Heuristics indicate the use of LoadLibrary and GetProcAddress APIs, common for dynamically loading malicious code. The document body is heavily obfuscated and unreadable, suggesting it's designed to hide its malicious intent. The combination of these factors points to a macro-based document designed to download and execute a secondary payload.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 189,440 bytes but its declared streams total only 94,801 bytes — 94,639 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.