Office (OLE) / .DOC malware analysis — malicious · cce2433af85c8613

MALICIOUS

Office (OLE) / .DOC

184.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: e94f55bd29d51f7701c9d0ea3b35f212 SHA-1: 7b6a31cec541c27aa118e3c35a2fed4c1b1777f4 SHA-256: cce2433af85c8613345bba4743925277d5582baf2774679613f943c12efedd1c

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The heuristics indicate the presence of API calls related to process creation (CreateProcess, ShellExecute), memory allocation (VirtualAlloc), and dynamic library loading (LoadLibrary, GetProcAddress), suggesting the document attempts to execute code. The OLE slack anomaly further points to potential obfuscation or embedded malicious content. Without a document body or script content, the exact execution flow and payload are unclear, but the API calls strongly suggest a downloader or exploit execution.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 189,344 bytes but its declared streams total only 21,151 bytes — 168,193 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.