Office (OLE) / .DOC malware analysis — malicious · cc7b959fa855f8ad

MALICIOUS

Office (OLE) / .DOC

181.0 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 7f72518375fa2a03fa3727b9028b2832 SHA-1: 860bae778a8d7c23455fbecd99e1ce34539f397e SHA-256: cc7b959fa855f8adc55ac2ce79ffef1b61310e4dd12a1a95df3e0d4ec90afccd

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.001 PowerShell T1204.002 Malicious File T1055.012 Process Hollowing

The sample exhibits high-confidence heuristics indicating the use of WinExec, CreateProcess, LoadLibrary, and GetProcAddress APIs, along with a suspicious cmd.exe invocation. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. These indicators collectively point to an attempt to execute arbitrary code, likely for downloading and running a second-stage payload.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 185,344 bytes but its declared streams total only 94,801 bytes — 90,543 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.