Office (OLE) / .DOC malware analysis — malicious · ca38f7cbd7fbf3f9

MALICIOUS

Office (OLE) / .DOC

57.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 4fbdc1bccbea6b8eb30cd4cef8115cbb SHA-1: 628db184706b89857e8d08e1a6d3d49697080466 SHA-256: ca38f7cbd7fbf3f972c9b56e9d4460f30ebc13e20b3e4f8b982e588198838f4a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document that contains a reference to the CreateProcess API, indicating an attempt to launch an external process. The document body is filled with unreadable characters, providing no contextual clues. Due to the lack of readable content and specific script details, the exact payload and delivery mechanism remain unclear, but the presence of CreateProcess is a strong indicator of malicious intent.

Heuristics 2

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 58,528 bytes but its declared streams total only 21,151 bytes — 37,377 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.