Office (OLE) / .DOC malware analysis — malicious · dfe271b6e2553e9a

MALICIOUS

Office (OLE) / .DOC

123.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: d600e6a39d7b25bc92bf4e1c47ae59d4 SHA-1: dc81984ceafe6091e496e9488436f71e44fdf01c SHA-256: dfe271b6e2553e9a50dcb7d61e83bcabfb0e45e789c7560cad3b0b38cc865163

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1204 User Execution T1059.003 Windows Command Shell

The OLE document exhibits a significant slack anomaly, indicating potential obfuscation or embedded malicious content. Heuristics firing for CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress strongly suggest the document is designed to execute arbitrary code. The lack of document body text or script content prevents a more specific determination of the payload or delivery mechanism.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 126,368 bytes but its declared streams total only 21,151 bytes — 105,217 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.