Office (OLE) / .DOC malware analysis — malicious · a21c910f2ecfaaf0

MALICIOUS

Office (OLE) / .DOC

100.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 69bb12dcb109a403acfd7be1270219f5 SHA-1: 352a6c83816650d9687b94462e7b4aaba99238d6 SHA-256: a21c910f2ecfaaf0d702b2b2e3f6d5cccc6c3e4515e632ad5fecddaeb175608b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The OLE document exhibits a significant slack space anomaly (80% of the file), which is often used to hide malicious content. Additionally, a high-severity heuristic detected a reference to the CreateProcess API, indicating a potential attempt to execute external processes. While a URL was extracted, it was confirmed as benign. No scripts were extracted from this sample. The combination of these factors suggests a malicious OLE document, but without further script or payload details, the exact family and attack vector remain unclear.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 103,328 bytes but its declared streams total only 21,151 bytes — 82,177 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.