Office (OLE) / .DOC malware analysis — malicious · dd99e0162d8d7232

MALICIOUS

Office (OLE) / .DOC

163.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 6c15d87197d79765dceaa12e52db7c48 SHA-1: d15cf6612cf20bd9d2c17bf6791d4e0778d68b86 SHA-256: dd99e0162d8d723215494e92b69ccf916dc6627adca1232fe818c030505d884f

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell T1218 Signed Binary Proxy Execution

The sample exhibits high-confidence heuristic firings indicating the use of Windows API calls commonly associated with process execution and dynamic library loading (CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, GetProcAddress). The large slack space anomaly in the OLE document suggests potential obfuscation or embedded malicious content. Without a document body or script content, the exact payload and delivery mechanism remain unclear, leading to an 'unknown family' classification and a moderate confidence score.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 167,328 bytes but its declared streams total only 21,151 bytes — 146,177 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.