Office (OLE) / .DOC malware analysis — malicious · 003a08ad753aa638

MALICIOUS

Office (OLE) / .DOC

156.5 KB Created: 2006-08-16 17:20:00 Authoring application: Microsoft Office Word

MD5: 453ef850c6c6e6969186522f99a3f5e6 SHA-1: fc673b81f4432dc773c8b106d59fc79427936da1 SHA-256: 003a08ad753aa638165750dfb0ec02b942493d2968c5a8794dda9b665082f0d4

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The sample exhibits a large amount of slack space within the OLE structure, a common characteristic of packed or obfuscated malicious documents. Additionally, it triggers a heuristic for PEB access, suggesting attempts to manipulate process information, often used to evade detection or facilitate further execution. The document body contains heavily obfuscated and unreadable text, indicating a likely attempt to conceal malicious intent, possibly involving a downloader or exploit.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 160,272 bytes but its declared streams total only 17,055 bytes — 143,217 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.