Office (OLE) / .DO malware analysis — malicious · f8bcb082498fd130

MALICIOUS

Office (OLE) / .DO

172.5 KB

MD5: 82b55324a3e6b02ad81a06237b95d0e1 SHA-1: 7b355223f3375825a44b8f4c73cdabfd99428609 SHA-256: f8bcb082498fd130de942132502110cb5d6c501c1322784ac6c3e802e7e5c38b

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File T1055 Process Injection

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate suspicious use of Windows APIs such as WinExec, CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, along with a high-confidence alert for cmd.exe execution. These findings suggest the document is designed to download and execute a secondary payload, likely through a command-line interface.

Heuristics 7

Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 176,640 bytes but its declared streams total only 31,351 bytes — 145,289 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.