Office (OLE) / .DOC malware analysis — malicious · d9650f63e75ecbee

MALICIOUS

Office (OLE) / .DOC

156.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: d8c43ab7ba9b1f686861e4bd60eceee7 SHA-1: e0d7c76f4287444c52e7de931bdc6ad60629cfd8 SHA-256: d9650f63e75ecbeefe3054d1f9a8ed86724a9f315b66c1e3f0bafc597b3162fc

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristic firings for LoadLibrary and GetProcAddress APIs suggest the document is attempting to dynamically load and execute code, likely a second-stage payload. The lack of document body text or script content prevents a more specific determination of the attack's intent or family.

Heuristics 3

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 160,672 bytes but its declared streams total only 21,151 bytes — 139,521 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.