Office (OLE) / .DOC malware analysis — malicious · f2b40d46a1f2bc21

MALICIOUS

Office (OLE) / .DOC

138.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 94e3e26f68b548553631c2ce6fc0475f SHA-1: 2609df22321f61e6ae7ac25df6e008c8ee4763c1 SHA-256: f2b40d46a1f2bc21e6fcf5590beb17ba4258b940b28f5562701093e89debb926

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The sample exhibits high-severity heuristic firings for API calls related to process creation (CreateProcess, ShellExecute), memory allocation (VirtualAlloc), and dynamic library loading (LoadLibrary, GetProcAddress). These indicators suggest the document is designed to execute arbitrary code, likely by leveraging a vulnerability within Microsoft Office. The OLE Slack Anomaly further points to potential obfuscation or embedded malicious content. Without a document body or script content, the exact nature of the payload cannot be determined, but the API calls strongly indicate a downloader or dropper functionality.

Heuristics 6

Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 142,240 bytes but its declared streams total only 21,151 bytes — 121,089 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.