Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 dcafffd2e1c86c5e…

MALICIOUS

Office (OLE) / .DOC

60.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 84074489aefae86b56eb6cb848621b19 SHA-1: a22cf84ab7dd626d8f2408b877ddfc8f4b98682f SHA-256: dcafffd2e1c86c5e62573d0174fbfbe1084ecada2e88c60b632e0db6745b534e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a malicious OLE document that contains a large slack space anomaly. A high-severity heuristic firing indicates the use of the CreateProcess API, suggesting an attempt to execute a payload. The document body is unreadable, and no scripts were extracted, limiting further analysis. The exact nature of the payload and its delivery mechanism remain unclear.

Heuristics 2

  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 62,368 bytes but its declared streams total only 21,151 bytes — 41,217 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.