Office (OLE) / .DOC malware analysis — malicious · fdbd6cb46f6a3b7c

MALICIOUS

Office (OLE) / .DOC

170.4 KB

MD5: 9489478d4b16cacd50168a3455455aad SHA-1: 07cc916815f7bbb2d8f940dfe368f17dbcb41757 SHA-256: fdbd6cb46f6a3b7c582cdfe6de83385ad6ee2647dfb57ffc3e13388e3a2e7b9f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of NOP sleds and calls to memory allocation and dynamic library loading APIs (VirtualAlloc, LoadLibrary, GetProcAddress), suggesting the execution of shellcode. The document body contains references to embedded Office objects, which could be used to deliver exploits.

Heuristics 5

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 174,493 bytes but its declared streams total only 31,351 bytes — 143,142 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.