Office (OLE) / .DOC malware analysis — malicious · b45daad1052e5b65

MALICIOUS

Office (OLE) / .DOC

149.5 KB

MD5: 27f47e09e09aea911c9c8e7a6c842c15 SHA-1: 569fb293c0ce32598712745d39defdce8ac8a0cd SHA-256: b45daad1052e5b655410a54b55468d43f54ce94123557ffb141bd2c34376e381

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The presence of a SC_STR_CREATEPROCESS heuristic firing indicates an attempt to launch external processes, a common tactic for malware delivery. The OLE_SLACK_ANOMALY suggests the document may contain hidden or obfuscated malicious content. While no specific script was extracted, the embedded URL http://www.mp.nic.in is flagged as suspicious and could be used to download a secondary payload. The document body's content is not indicative of a specific lure.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 153,088 bytes but its declared streams total only 31,351 bytes — 121,737 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.mp.nic.in
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/photoshop/1.0/
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.