Office (OLE) / .DOC malware analysis — malicious · e401aad97411121f

MALICIOUS

Office (OLE) / .DOC

67.2 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 50ce67570dd231674068ec0f2352c208 SHA-1: 574c99fff062cc194a659d32833ac6d33d209f68 SHA-256: e401aad97411121ff99f0c34784c335922aaf953d4bdcde289d5f0e280a37ce0

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The document contains a heuristic firing for CreateProcess API, indicating an attempt to execute a process. The OLE slack anomaly suggests potential obfuscation or embedded malicious content. While no specific malicious URLs or scripts were extracted, the presence of CreateProcess strongly suggests a macro-based execution attempt, likely to download and run a second-stage payload.

Heuristics 3

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 68,768 bytes but its declared streams total only 21,151 bytes — 47,617 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.