Office (OLE) malware analysis — malicious · 0291810655d7a9e9

MALICIOUS

Office (OLE)

100.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 37357d39fe34feece07bc08303c17cb8 SHA-1: 1f3be84068d7fcc363701072d22a187f502a2908 SHA-256: 0291810655d7a9e913f58761e4f3ef34b041f74f55529c5a99cfd6bf16d0878e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document that contains raw shellcode. Heuristics indicate PEB access and a large slack space anomaly, suggesting an attempt to hide or obfuscate malicious code. The document likely exploits a client-side vulnerability to achieve arbitrary code execution.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 103,328 bytes but its declared streams total only 21,151 bytes — 82,177 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD

Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.

Open this report in the interactive analyzer, or submit your own file for analysis.