Office (OLE) / .DOC malware analysis — malicious · bf3e946dbce346f5

MALICIOUS

Office (OLE) / .DOC

120.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 14c9d35ad12e6e83ca2d0d342ed33c4c SHA-1: 53a1fcdf484649399bd924173fd755d2715af25d SHA-256: bf3e946dbce346f5662685256e237904557eeceda5607fad00c4c20eb78707ce

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The presence of a CreateProcess API reference strongly suggests the document is designed to execute external code. The OLE Slack Anomaly indicates potential obfuscation or embedded malicious content. While the embedded URL was benign, the heuristic firings point towards a downloader or exploit execution pattern. No scripts were extracted from this sample.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 123,296 bytes but its declared streams total only 21,151 bytes — 102,145 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.