Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f94af74d14405fd7…

MALICIOUS

Office (OLE) / .DOC

59.5 KB Created: 2005-05-04 05:46:00 Authoring application: Microsoft Word 9.0
MD5: 9b58db23b78bd00048e1c2e6cae647f7 SHA-1: b893e13029833b5fa633a84f13c564861a923b0a SHA-256: f94af74d14405fd7321c4fd1f3e0e9afe797e7404daeb19cf4d66d7de8751425
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a Microsoft Word document containing a large amount of slack space and an embedded PE executable. The presence of an embedded executable strongly suggests the document is a dropper or container for malicious code. The document body content is nonsensical, indicating it is not intended for human consumption. The embedded executable is the primary artifact of interest.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 60,944 bytes but its declared streams total only 16,490 bytes — 44,454 bytes (73%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • x86 push-string-call medium SC_PUSH_STRING
    Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004b00.exe
6652fed97617e487ec02d18e4020c80325300cb55dc162e06ecadb2d89905775		 embedded-pe Office MZ+PE at offset 0x4B00 41744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.