Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c72c79ff4bda7823…

MALICIOUS

Office (OLE) / .DOC

146.8 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word
MD5: f0d0ea239755d7df8e96d8eaa90f0ef5 SHA-1: 0d1d583f6d01e3bcb5b550f8fea101a646881733 SHA-256: c72c79ff4bda78236cd4cb0759bf1d63084d0e605e8c33e7946cc0a21557232a
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document with a significant slack space anomaly, suggesting embedded malicious content. Heuristics indicate the presence of shellcode, including NOP sleds, PEB access, and references to WinExec, CreateProcess, and LoadLibrary APIs, pointing towards code execution. The document body is minimal and uninformative. No scripts were extracted from this sample.

Heuristics 7

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP ESI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ESI)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 150,317 bytes but its declared streams total only 26,783 bytes — 123,534 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.