Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c7bbb714797c7213…

MALICIOUS

Office (OLE) / .DOC

102.0 KB
MD5: 989951cbefaea0e564cbcce38304fe87 SHA-1: 5d1de7bd5ff5d4acfbe501df30c3ffe9d158f63a SHA-256: c7bbb714797c7213a4a25d9bf640a03cc8f9bbbb7c2ae76b6ea1336bf3354114
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1059 Command and Scripting Interpreter

The presence of a SC_STR_CREATEPROCESS heuristic firing indicates the document likely attempts to execute a process. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. The document body contains references to embedded Office objects, which could be used to hide malicious code or exploit.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 104,448 bytes but its declared streams total only 31,351 bytes — 73,097 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.