Office (OLE) / .DOC malware analysis — malicious · c96d5e5ded6069dd

MALICIOUS

Office (OLE) / .DOC

146.5 KB

MD5: 266709d9126b575f17f5a61cb3c1ee58 SHA-1: 7b5ae52893e57f6f849958f9cb302da6c8e788e0 SHA-256: c96d5e5ded6069dd33c378944f0e0111d64107ee68f012b371cb2f2bfd4bf722

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1204.002 Malicious File T1055 Process Injection

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, cmd.exe invocation, LoadLibrary, and GetProcAddress, indicating a strong likelihood of arbitrary code execution. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. While no specific family is identified, the techniques point towards a downloader or dropper functionality.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 150,016 bytes but its declared streams total only 31,351 bytes — 118,665 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.