Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f0268bdbdbeb2152…

MALICIOUS

Office (OLE) / .DOC

143.5 KB
MD5: efacb931eb69640c4e315bc3a3c86fd7 SHA-1: d4670dc4173ad49ec714e99d17db17a7441d68aa SHA-256: f0268bdbdbeb215282667be2da661a70a1544935120f9b0d34c48378f06222fb
382 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The sample exhibits multiple high-severity heuristics indicative of malicious code execution, including PEB access, API hash resolution, and references to WinExec, VirtualAlloc, LoadLibrary, and GetProcAddress. The presence of an EMF object within an OLE EPRINT stream and a large slack space anomaly further suggest obfuscation and potential exploit delivery. While VBA macros could not be extracted, the heuristics strongly point towards an attempt to execute arbitrary code, likely via embedded objects or exploits within the Office document.

Heuristics 11

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 146,944 bytes but its declared streams total only 31,351 bytes — 115,593 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.