Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c147f9334723cfaf…

MALICIOUS

Office (OLE) / .DOC

55.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: bcf37d55d551741b93fcda2e4e40df54 SHA-1: c7fcf5183462e67d28241b3c3b8e014ecd5556e2 SHA-256: c147f9334723cfafb842efb971d6f28bb9472b6c2c4968ec190d1304a607735e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a malicious OLE document that contains a large slack space anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic firing indicates the use of the CreateProcess API, suggesting the document attempts to launch an external process. Without further script or body content, the exact nature of the payload remains unclear, but the CreateProcess API is commonly used for executing downloaded malware.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 56,736 bytes but its declared streams total only 21,151 bytes — 35,585 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.