Office (OLE) / .DOC malware analysis — malicious · b87d3f8957a90fb9

MALICIOUS

Office (OLE) / .DOC

174.4 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 10bb7e5541195d632464423ec213fe29 SHA-1: 4dba938b5eb946c9bf8ad15c192ec50a20c3dd27 SHA-256: b87d3f8957a90fb9c0c323b6fbb40c8eeda7b5bd1bf279b16aa98fb405759f88

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious Office document, including a high OLE slack anomaly and references to Windows API functions like VirtualAlloc, LoadLibrary, and GetProcAddress. These API calls suggest the document is designed to load and execute arbitrary code, likely a second-stage payload. No specific document body content or scripts were extracted to further detail the attack, leading to an 'unknown family' classification and moderate confidence.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 178,624 bytes but its declared streams total only 94,801 bytes — 83,823 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.