Office (OLE) / .DOC malware analysis — malicious · d41be00b9163284d

MALICIOUS

Office (OLE) / .DOC

129.2 KB

MD5: bf6ddeff0a3c44f219e646d9df257228 SHA-1: b8ea6784d287e492973a9027b9dd4d88cf350397 SHA-256: d41be00b9163284ddc1862dfc98c062a5e24195f4db5478a016c0f651010b58a

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document exhibiting a large slack space anomaly and references to LoadLibrary and GetProcAddress APIs, suggesting shellcode execution. While the document body is nonsensical, the presence of these indicators points towards a downloader or exploit. No scripts were extracted, and the embedded URL is benign, limiting further analysis.

Heuristics 5

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 132,347 bytes but its declared streams total only 31,351 bytes — 100,996 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.