Office (OLE) / .DOC malware analysis — malicious · cb69ee2379aad968

MALICIOUS

Office (OLE) / .DOC

86.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 113d6714ea1c4db5336356cf3b5ba9c7 SHA-1: 95b17db3924039434b89669fb47703c21eacf974 SHA-256: cb69ee2379aad9682549580e48d377df4eb7157d6e4e8d6021a04558dd12cb7a

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1055 Process Injection

The OLE document exhibits a significant slack space anomaly (76% of the file), which is a common characteristic of packed or obfuscated malicious documents. Heuristic firings indicate the presence of references to `VirtualAlloc`, `LoadLibrary`, and `GetProcAddress` APIs. These functions are frequently used by malware to allocate memory, load malicious code, and resolve API addresses, strongly suggesting the document is a loader for a second-stage payload. No document body text or scripts were extracted, limiting further analysis of the specific lure or payload delivery mechanism.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,480 bytes but its declared streams total only 21,151 bytes — 67,329 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.