Office (OLE) / .DO malware analysis — malicious · efc3a1c07d4cbd13

MALICIOUS

Office (OLE) / .DO

71.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 89f5cf4c0fb6bd9ce4b7eed5d63b8c5b SHA-1: 899de5f5293adbf643466c24353658c0cc7c88b3 SHA-256: efc3a1c07d4cbd130b6e5be41472a919289c02077078471b327f181e9397c55d

160 Risk Score

Malware Insights

The OLE document exhibits a significant slack space anomaly (71%), which is a strong indicator of a packed or obfuscated payload. Heuristics also indicate the presence of APIs commonly used for memory manipulation and loading external code, such as VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress. No document body or script content was available for further analysis, limiting the ability to determine the exact attack pattern or family. The file is likely a container for malicious code.

Heuristics 5

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 72,720 bytes but its declared streams total only 21,151 bytes — 51,569 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API

Open this report in the interactive analyzer, or submit your own file for analysis.