Office (OLE) malware analysis — malicious · dbce8724779f2384

MALICIOUS

Office (OLE)

176.4 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 27c7f2dc7bcb7a2a7e979bb228ed765f SHA-1: 3231d80992cacb7da7a1d4bbdc83142981577615 SHA-256: dbce8724779f2384d69796d3aec7accce9316cda1b15243933b2102b1e799111

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The sample exhibits high-confidence heuristic firings indicating the use of Windows API functions such as ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress. These functions are commonly used by malware to load and execute malicious code. The large slack space anomaly in the OLE document further suggests the presence of embedded or obfuscated malicious content. The document body contains heavily garbled text, providing no clear user-facing lure.

Heuristics 5

Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 180,672 bytes but its declared streams total only 94,801 bytes — 85,871 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.