Office (OLE) / .DOC malware analysis — malicious · f2bba393701bc31b

MALICIOUS

Office (OLE) / .DOC

114.3 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 2e0aafbf78c3459dfa5cb1d1d88e6bc3 SHA-1: 59b15f68f3b72dfea14e50878b31b87bee3019fa SHA-256: f2bba393701bc31bec7f4f1485c036ac07f96c1e4501ffd93cceb7300f78fe71

280 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, and ShellExecute APIs, indicating an attempt to execute code. The presence of XOR-encoded strings and a large slack space anomaly further suggest malicious intent. The ClamAV detection as 'Doc.Dropper.Agent-1828517' and the extracted path 'c:\winmsio.exe' strongly suggest this document is a dropper designed to download and execute a second-stage payload.

Heuristics 6

XOR-encoded strings (key 0xCE) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xCE: 'CreateProcessA', 'CreateFileA', 'OpenProcess', 'RegOpenKeyExA', 'ShellExecuteA'
ClamAV: Doc.Dropper.Agent-1828517 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1828517
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 117,086 bytes but its declared streams total only 16,486 bytes — 100,600 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.