Office (OLE) / .DOC malware analysis — malicious · e98098dac2991bbd

MALICIOUS

Office (OLE) / .DOC

59.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: e8ec3829c650180bcaabf4f0ec123d83 SHA-1: 6c88390aff6c0db435e8961a35dd69084ed3f6fa SHA-256: e98098dac2991bbd909b2cba12adc0f7c075bd73d0b735353c6312374e34f90b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The presence of references to VirtualProtect, LoadLibrary, and GetProcAddress APIs strongly suggests that the document contains malicious code designed to load and execute a secondary payload. The OLE slack anomaly further indicates potential obfuscation or padding within the document structure. Without a document body or script content, the exact nature of the payload and delivery mechanism remains unclear, leading to an 'unknown family' classification.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 60,832 bytes but its declared streams total only 21,151 bytes — 39,681 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.