Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d52ecabbb9798719…

MALICIOUS

Office (OLE) / .DOC

80.7 KB Created: 2006-04-29 01:29:00 Authoring application: Microsoft Office Word
MD5: 046af9469b17e6cf9296a9d182168e83 SHA-1: 655d0e7d375e9332b777e298c27bbbaa05e60a80 SHA-256: d52ecabbb97987198f3aea24ecb39abc34c077eb2fd0759c91582734d5a5276c
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of embedded shellcode. Heuristics indicate the presence of a NOP sled, PEB access, and calls to WinExec, CreateProcess, and LoadLibrary, suggesting the document attempts to execute arbitrary code. The document body is minimal and does not provide further context. No scripts were extracted from this sample.

Heuristics 7

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • x86 GetPC stub (CALL $+5; POP ESI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ESI)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 82,590 bytes but its declared streams total only 26,783 bytes — 55,807 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.