Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 da67700ca9b8b695…

MALICIOUS

Office (OLE) / .DOC

61.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 2c5062bbf9ee3bb433cdb3ece5b75480 SHA-1: 196daf0679f005e475c9a18171651e3af625eb2b SHA-256: da67700ca9b8b6958c84b40141bce6d8ae9a3590a5f945a7086f1b08fe19ebb0
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample is an OLE document with a high slack anomaly, indicating potential obfuscation or embedded malicious content. A heuristic firing for CreateProcess API suggests the document attempts to launch an external process. No document body or script content was available for further analysis, limiting the ability to determine the exact payload or delivery mechanism.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 62,624 bytes but its declared streams total only 21,151 bytes — 41,473 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.