Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d336ff36a69310ef…

MALICIOUS

Office (OLE) / .DOC

56.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: e668b88f8f33af8ec8f40d72633777e9 SHA-1: 88e1daa4bb3d6728d926bbbe544481acd81fb0c9 SHA-256: d336ff36a69310ef07f2ca28114d81ea3168281ebf3421478d9e2c5a6039b659
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The presence of a CreateProcess API reference and a significant OLE slack anomaly suggests the document is designed to execute a payload. The embedded URLs, while not directly malicious in reputation, are likely part of the lure or command and control infrastructure. The document body is heavily obfuscated, preventing a clear understanding of the lure, but the technical indicators point towards a malicious exploit.

Heuristics 3

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 57,760 bytes but its declared streams total only 21,151 bytes — 36,609 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.phayul.com/news/article.aspx?id=26393
    • http://www.we-are-tibet.org/

Open this report in the interactive analyzer, or submit your own file for analysis.