Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ce059033b14f194c…

MALICIOUS

Office (OLE) / .DOC

56.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 1ca36fe4ee6d0336663cbd5a19f9f287 SHA-1: 5bb34cde2e35df3e35dcb8747b5205eeba98cbb4 SHA-256: ce059033b14f194c9fede93bd38c702cdca7ba51e06f84b1c2b1c1868f3634fd
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The document exhibits a high-severity heuristic firing for CreateProcess, indicating an attempt to launch an external process. The OLE slack anomaly suggests potential obfuscation or padding within the document structure. Without a document body or script content, the exact nature of the payload remains unclear, but the CreateProcess call is a strong indicator of malicious intent.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 58,016 bytes but its declared streams total only 21,151 bytes — 36,865 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.