Office (OLE) / .DOC malware analysis — malicious · ce8d636034daf17f

MALICIOUS

Office (OLE) / .DOC

104.1 KB

MD5: aff432ca15d36e2146b80ea6f2c6fdd9 SHA-1: b3d1a0fc5513090d33cf862a110960bd5fa99bdd SHA-256: ce8d636034daf17f59436d255eb7a279a6400e00c0422f364d130697e8fc1a77

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1218 Signed Binary Proxy Execution T1059.003 Windows Command Shell T1059 Command and Scripting Interpreter

The presence of references to VirtualProtect, LoadLibrary, and GetProcAddress APIs, along with a significant slack space anomaly in the OLE document, strongly suggests the document contains malicious code designed to execute arbitrary functions. The embedded URL, though confirmed benign, indicates a potential delivery vector. The overall pattern points to a macro-based exploit attempting to download and run a second-stage payload.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 106,560 bytes but its declared streams total only 8,934 bytes — 97,626 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Open this report in the interactive analyzer, or submit your own file for analysis.