Office (OLE) / .DOC malware analysis — malicious · a149ca813dd45a98

MALICIOUS

Office (OLE) / .DOC

63.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 01ef8349d36c25579e7ba2c6d180bd5c SHA-1: f8c69ca89bdb2802a2b3f1b8b831ee4929c6255a SHA-256: a149ca813dd45a98d949ec7cfd29f40dc706c1660d69a96805ea1e73593bfe1d

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document that contains a large slack space anomaly. A high-severity heuristic firing indicates a reference to the CreateProcess API, suggesting the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or delivery mechanism.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,672 bytes but its declared streams total only 21,151 bytes — 43,521 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.