Office (OLE) / .DOC malware analysis — malicious · ad64ed35e2d5d7d9

MALICIOUS

Office (OLE) / .DOC

873.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 6708f50667538fa66739b2c02659f109 SHA-1: b15ad04543081c7d95f243c4a1f14ee95832bfbc SHA-256: ad64ed35e2d5d7d9f3395230340d71c1325f0479bf5ad3d014b0dd222946beee

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious File T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is an OLE document exhibiting a large slack space anomaly, indicative of potential obfuscation or embedded malicious content. High-severity heuristics indicate the use of CreateProcess and ShellExecute APIs, common for executing external commands or launching payloads. The document body is heavily garbled, preventing analysis of its intended lure. No scripts were extracted from this sample. The combination of OLE structure anomalies and API calls suggests an attempt to execute arbitrary code, likely for downloading and running a second-stage payload.

Heuristics 4

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 894,244 bytes but its declared streams total only 94,801 bytes — 799,443 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.