Office (OLE) / .DOC malware analysis — malicious · fda27aaa8f0022a4

MALICIOUS

Office (OLE) / .DOC

144.5 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 868da969e69833cd6b824a4d14c48723 SHA-1: 0b9ed05a80e1379439877e52a3c8981aba546f21 SHA-256: fda27aaa8f0022a4dfb9663c9ab697d355db68ca3783522a0c59d183c08e4e5a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The file is detected as Win.Exploit.MSWord-7, indicating it leverages a known exploit. Static analysis revealed a call to GetPC stub and XOR-encoded strings, suggesting obfuscated code execution. The heuristic 'push-string-call' decoded to 'wc.exe', likely an indicator of a dropped or executed payload. The document body contains heavily garbled text, offering no contextual clues about the lure.

Heuristics 4

XOR-encoded strings (key 0x88) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x88: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'ExitProcess'
ClamAV: Win.Exploit.MSWord-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.MSWord-7
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
x86 push-string-call medium SC_PUSH_STRING

Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack

Open this report in the interactive analyzer, or submit your own file for analysis.