Office (OLE) / .DOC malware analysis — malicious · da008c76bbeb163b

MALICIOUS

Office (OLE) / .DOC

146.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 74c8454a895b08bf1c4474ce53dc7dd6 SHA-1: d36c6e60a5ccf0d3e7a67448c1e362813bcca0fc SHA-256: da008c76bbeb163bb7306f8231dd148b19044dfcacf44a73941750b2489085a9

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample exhibits high-confidence heuristic firings related to process creation (CreateProcess) and execution (ShellExecute), along with memory allocation (VirtualAlloc) and library loading (LoadLibrary, GetProcAddress). These indicators suggest the document is designed to launch an external executable or script. The OLE slack anomaly further points to potential obfuscation or embedded malicious content. No document body or script content was available for further analysis.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 149,920 bytes but its declared streams total only 21,151 bytes — 128,769 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.