Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c70f9eaf1bdecb1d…

MALICIOUS

Office (OLE) / .DOC

65.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 9e8a355dc215b6762311af1f69d3dedb SHA-1: 334ade43257b4563acb2bcd104b4a7b7602772cf SHA-256: c70f9eaf1bdecb1d6af50c88f28c7361acc415504dbd437982474f7820a30c74
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell

The sample is an OLE document with a high slack space anomaly, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or family.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 66,720 bytes but its declared streams total only 21,151 bytes — 45,569 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.