Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e0f0772b8e6c5906…

MALICIOUS

Office (OLE) / .DOC

168.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 7d05175b387b728c9ba1edf3a6581ab2 SHA-1: d589880f1362049479fb950d081091adcb92d0b2 SHA-256: e0f0772b8e6c590616edefa768628a07a0e45943aefe86566fd10880ca624511
320 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1105 Ingress Tool Transfer

The sample is a Microsoft Word 9.0 document containing a large slack space anomaly and a critical heuristic firing for an embedded PE executable. ClamAV signatures confirm the embedded artifact is malicious (Win.Trojan.Agent-681062). The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API references suggests the embedded executable is designed to load and execute further malicious code. The document body is unreadable, but the embedded executable is the primary indicator of malicious intent.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-681062 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-681062
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 172,804 bytes but its declared streams total only 94,801 bytes — 78,003 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c600.exe
68fa58873e25503b105950f13af064c5e1a7157e3aca5ae445b7b0517fee654a		 embedded-pe Office MZ+PE at offset 0x1C600 56580 bytes
Detection
ClamAV: Win.Trojan.Agent-681062
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.