Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d697e18af2f45436…

MALICIOUS

Office (OLE) / .DOC

63.7 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: bf82efa506a9f8bb97c2820f93c808ea SHA-1: f01daca0763ab2a212803f0b4aa7a8fbe77c97f4 SHA-256: d697e18af2f4543650b97cc12f135ed4d14a65e6dfad63f9852f9797a1dc27b8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a malicious OLE document that contains a reference to the CreateProcess API, indicating an attempt to execute a process. The large slack space in the OLE structure is also suspicious. Without a document body or script content, the exact nature of the payload and delivery mechanism cannot be determined.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 65,184 bytes but its declared streams total only 21,151 bytes — 44,033 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.