Office (OLE) / .DOC malware analysis — malicious · eaa842d59373247b

MALICIOUS

Office (OLE) / .DOC

108.1 KB

MD5: d62b5d466d39b5c118cdf01482130507 SHA-1: 50361c08b285b5bdec3e2e77a65507fc68741d17 SHA-256: eaa842d59373247bbce2a81a65fa6ec02c9bb7225adb8c52e48932996b6f8efc

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The document contains an embedded PE executable, indicated by the OLE_EMBEDDED_EXE heuristic. The presence of CreateProcess API references suggests an attempt to launch this embedded executable. The XOR-encoded strings and slack space anomaly are common obfuscation techniques used by malware. The embedded executable is the primary indicator of malicious intent, likely serving as a dropper for further malicious activity.

Heuristics 4

XOR-encoded strings (key 0x88) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x88: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA'
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 110,725 bytes but its declared streams total only 31,351 bytes — 79,374 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00012e20.exe` `89e54ae49a4a083a3cfea7a2867341b0dd3fdd60b166a62c9487491f123800bd`	embedded-pe	Office MZ+PE at offset 0x12E20	33381 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.