Office (OLE) / .DOC malware analysis — malicious · ee033d91994b80a5

MALICIOUS

Office (OLE) / .DOC

121.8 KB

MD5: d7df959d1bd657d881f7c4b76f56e339 SHA-1: 9b225adbb342c9c91ab6dfc4ff6c4315cea1c0c8 SHA-256: ee033d91994b80a586164631583da5726fb93a2a8c81d58bd322a406481a8085

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is detected as malicious by ClamAV with the signature 'Doc.Dropper.Agent-1828510'. Heuristics indicate the use of CreateProcess and ShellExecute APIs, common for executing payloads. The OLE slack anomaly and embedded objects suggest a dropper functionality. No scripts were extracted from this sample.

Heuristics 5

ClamAV: Doc.Dropper.Agent-1828510 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1828510
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 124,708 bytes but its declared streams total only 31,351 bytes — 93,357 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.