Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ea0d59e42963b2c3…

MALICIOUS

Office (OLE) / .DOC

54.1 KB
MD5: 88a0af1e3c8dff35aed80f111fa63c59 SHA-1: ca9d1206d05c95922f75dfe1b3668d5cd5d6ac41 SHA-256: ea0d59e42963b2c3d44fd9869ae34c3873b3924439410c3ffe0af3321ebeef98
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample exhibits a large slack space anomaly, indicative of obfuscation or embedded malicious content. Heuristics indicate the use of VirtualProtect, LoadLibrary, and GetProcAddress APIs, commonly employed by malware to load and execute payloads. The presence of these APIs suggests an attempt to execute arbitrary code, likely through a vulnerability within the Office document itself.

Heuristics 4

  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 55,360 bytes but its declared streams total only 8,934 bytes — 46,426 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.