Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 bcbcbdd57cd18e64…

MALICIOUS

Office (OLE) / .DOC

58.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 755c940ea2c13b9081a35f6436e9f954 SHA-1: 4d47a282aaa55625252d2f84b9735d1c618e486f SHA-256: bcbcbdd57cd18e64b94f1e6ae2ced52f20379dd43abfd6e5b424a2f530bd3954
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a malicious OLE document that contains a large slack space anomaly. A high-severity heuristic indicates the use of the CreateProcess API, suggesting an attempt to launch an external process. The document body is obfuscated and does not provide further clues. No scripts were extracted from this sample.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 60,320 bytes but its declared streams total only 21,151 bytes — 39,169 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.