Office (OLE) / .DOC malware analysis — malicious · b38aa0c5156c33c9

MALICIOUS

Office (OLE) / .DOC

142.5 KB

MD5: 704e4885ef5425739cfee262fdd81fcf SHA-1: 9bf76efd38dd927e85e05a05626e61a5108dc377 SHA-256: b38aa0c5156c33c959bb00b0cc5f6c05825f76fe5352982775e9ee9bd348bf5c

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is an OLE document with significant slack space, indicating it may be packed or contain obfuscated data. Heuristics detected NOP sleds and references to LoadLibrary and GetProcAddress APIs, common in shellcode execution. The document body contains references to embedded Office objects, suggesting a multi-stage attack. Without further script analysis, the exact payload and delivery mechanism remain unclear.

Heuristics 4

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 145,920 bytes but its declared streams total only 31,351 bytes — 114,569 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.