Office (OLE) / .DOC malware analysis — malicious · b3dda4adabc52c0e

MALICIOUS

Office (OLE) / .DOC

95.8 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 70bc6ea783ecb2d4616130bf08c9a606 SHA-1: 440eaf8b9f87f239189010e5e9fec85491c7c1e0 SHA-256: b3dda4adabc52c0e2ae8be840fa2e402e85f15238a4e526f776c5ca624e70c4b

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample exhibits several high-severity heuristic firings indicative of malicious intent, including PEB access and an API hash resolver, commonly used to evade detection. The large slack space in the OLE document is also suspicious. While no document body or scripts were extracted, these anti-analysis techniques strongly suggest the file is a loader or dropper for a secondary payload.

Heuristics 4

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 98,149 bytes but its declared streams total only 21,151 bytes — 76,998 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.