Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b5550ea59298e738…

MALICIOUS

Office (OLE) / .DOC

64.0 KB Created: 2005-08-27 11:18:00 Authoring application: Microsoft Word 9.0
MD5: 7cb50862d72f5e30cc7582bd3f429450 SHA-1: ed3122a39ba68493c314a49f7b43c20215a9f145 SHA-256: b5550ea59298e738bc00a1c499860560d920392068992757b0ca5c3fde89ca2f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document's subject line and body text suggest a business transaction for sensitive information, acting as a lure. A critical heuristic identified an embedded PE executable, indicating the document is a dropper. The OLE slack anomaly further supports the presence of hidden or unexpected content. The embedded executable is the primary payload, likely designed to execute malicious code upon opening.

Heuristics 2

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 65,536 bytes but its declared streams total only 17,048 bytes — 48,488 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a000.exe
a8402d7bbfe911fac569c070746ce93c01581ce7e02cd99850107814b73797b5		 embedded-pe Office MZ+PE at offset 0xA000 24576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.