Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f6e9345a0398e938…

MALICIOUS

Office (OLE) / .DOC

79.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: 8d02a96c279da25bc3197d81aa2cdcf2 SHA-1: c28cd3b60ef90b8a9a3487d8ebc7c0f04efb07b3 SHA-256: f6e9345a0398e938883242963abd11f4922dd12a2c6d182d2ee950431b49939b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The presence of references to WinExec, LoadLibrary, and GetProcAddress APIs strongly suggests the document contains malicious code designed to execute arbitrary commands. The large slack space in the OLE structure is also indicative of packed or obfuscated malicious content. Without a document body or script content, the exact nature of the payload cannot be determined, but the API calls point towards a downloader or dropper.

Heuristics 4

  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 81,312 bytes but its declared streams total only 21,151 bytes — 60,161 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.