Office (OLE) / .DOC malware analysis — malicious · e738ca09af9c7e72

MALICIOUS

Office (OLE) / .DOC

221.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 9d040334123da6a00aa5f045924d5976 SHA-1: 80b4a4044bcfbf05eb6310f593da115cbb89bbb6 SHA-256: e738ca09af9c7e72f0649d32d40f269e6a9394adcaea88dffd3a36a236fd91cc

220 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The file is identified as malicious by ClamAV with the signature Win.Exploit.MSWord-7. Static analysis revealed an x86 GetPC stub and an x86 push-string-call that decodes to 'wc.exe', indicating an attempt to execute a command. Additionally, XOR-encoded strings were detected, suggesting obfuscation of malicious content. The large slack space in the OLE structure is also a common characteristic of weaponized documents.

Heuristics 5

XOR-encoded strings (key 0xC4) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xC4: 'msvcrt.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA'
ClamAV: Win.Exploit.MSWord-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.MSWord-7
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 227,146 bytes but its declared streams total only 94,801 bytes — 132,345 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
x86 push-string-call medium SC_PUSH_STRING

Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack

Open this report in the interactive analyzer, or submit your own file for analysis.