Office (OLE) / .DOC malware analysis — malicious · c8d24df8d47c361a

MALICIOUS

Office (OLE) / .DOC

173.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 6338fbe599c9261988f276b8a79cc29a SHA-1: beeb764bbe735d8bd40d844e2a55344b3235e23c SHA-256: c8d24df8d47c361ae218df6f9bb8f58bd71dca95bf41180d47847da80793d74e

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1071.001 Web Protocols T1218.011 Signed Binary Proxy Execution: Rundll32

The file exhibits critical ClamAV detection as Win.Trojan.Agent-335026. High severity heuristics indicate the use of PEB access and an API-hash resolver, along with references to CreateProcess and LoadLibrary APIs, suggesting the execution of a secondary payload. The OLE slack anomaly further points to potential obfuscation or embedded malicious content. The document body contains heavily obfuscated and unreadable content, providing no direct clues about the lure.

Heuristics 6

ClamAV: Win.Trojan.Agent-335026 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-335026
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 177,154 bytes but its declared streams total only 94,801 bytes — 82,353 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.