Office (OLE) / .DOC malware analysis — malicious · a62e9e390f59b893

MALICIOUS

Office (OLE) / .DOC

49.8 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: bd6217ab371a068102eb97a6128ce235 SHA-1: b08b3e8c7afb08a26aba5922aea5eba0df3aed09 SHA-256: a62e9e390f59b893296178ef311e2196c7d2ca0d1f8db45d12b254c874ade819

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1055 Process Injection

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristic firings for VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress strongly suggest the execution of shellcode or a dynamically loaded payload. No document body text or scripts were extracted, limiting further analysis of the specific lure or payload delivery mechanism.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 51,011 bytes but its declared streams total only 21,151 bytes — 29,860 bytes (59%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.