Office (OLE) / .DOC malware analysis — malicious · d01d799a857c8370

MALICIOUS

Office (OLE) / .DOC

57.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 0bb9684d0a4a99e32685ef03f589e9b6 SHA-1: fa36db5b35d575360914413a9bb19fa9c042c0b3 SHA-256: d01d799a857c8370c1c42befd2b78c503e5804707838fda1de6a2e191af0fb91

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits a high-severity heap spray pattern, indicating an attempt to overwrite memory for code execution. Additionally, a reference to the CreateProcess API was detected, suggesting the execution of a secondary payload. The large slack space in the OLE structure is also anomalous. Without a document body or scripts, the exact nature of the payload remains unclear, but the heuristics strongly suggest a code execution vulnerability.

Heuristics 3

Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x41 (A) bytes found
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 59,040 bytes but its declared streams total only 21,151 bytes — 37,889 bytes (64%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.