Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 a3c62783f1ac215f…

MALICIOUS

Office (OLE) / .DOC

101.9 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word
MD5: 5f0120e9036003df7aae620880ddd731 SHA-1: adb6999f431e22ded99b3d9e310f55aafb18fec6 SHA-256: a3c62783f1ac215f4c7f3cfc425280c0cf63544a33ad9a4130d2629aa0bf679f
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample exhibits characteristics of a malicious Office document, including a large slack space anomaly and the presence of a NOP sled. High-severity heuristics indicate the potential for arbitrary code execution through references to WinExec, CreateProcess, and LoadLibrary APIs. The PEB access via FS segment further suggests evasion or anti-analysis techniques. No document body or script content was available for further analysis.

Heuristics 7

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP ESI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ESI)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 104,367 bytes but its declared streams total only 26,783 bytes — 77,584 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.