Office (OLE) / .DOC malware analysis — malicious · c183bc4581a1128f

MALICIOUS

Office (OLE) / .DOC

58.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 911fb0470fc625c72860bf9106f166c7 SHA-1: 09457d063a03a7b95fad0d386adb1a31ac413fe3 SHA-256: c183bc4581a1128f45f98a78919f6700124231ef21684193cc067f1e99041a38

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. The presence of a VirtualAlloc API reference further suggests the document is designed to allocate memory for executing arbitrary code. While no specific exploit or payload is directly identifiable from the provided heuristics and document body, the combination points to a malicious document likely leveraging an Office vulnerability for code execution.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 60,320 bytes but its declared streams total only 21,151 bytes — 39,169 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.