Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 dcef5a8239e8ae70…

MALICIOUS

Office (OLE) / .DOC

89.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 603fc7db5f840693e08c01b185d1cd30 SHA-1: a1d7abc8f7d28e949f2db8c92362e6bde7afd58e SHA-256: dcef5a8239e8ae700061d995886dd936ce666a3fe53f092a123afb34b46b99f9
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The OLE document exhibits a significant slack space anomaly, a common characteristic of packed or obfuscated malware. Crucially, it contains an embedded PE executable. The presence of LoadLibrary and GetProcAddress API references further suggests the document is designed to load and execute this embedded payload. The document body is filled with non-readable characters, indicating it is not intended for user consumption but rather as a container for the malicious executable.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 91,679 bytes but its declared streams total only 21,151 bytes — 70,528 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a2a0.exe
04d3485f707156a2eb1547c771358fb303f6443265a4aa81dcd076a51f3ae54c		 embedded-pe Office MZ+PE at offset 0xA2A0 50047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.