Office (OLE) / .DOC malware analysis — malicious · 08fb57910b2e5f3c

MALICIOUS

Office (OLE) / .DOC

99.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 3348fdd8730b34278e83f5fe9a6a972d SHA-1: 70485a959c7e9b5b9bbb6f540ec3a675b0c31e54 SHA-256: 08fb57910b2e5f3cbfda024ca277026cb5210d5116af7f713fe1385e1f43cabb

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document exhibiting a large slack space anomaly and PEB access, indicative of an exploit. The document body contains obfuscated strings that, when reconstructed, reveal a registry path likely used to disable security features or manage persistence. This suggests the document is designed to exploit a vulnerability and download a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 101,376 bytes but its declared streams total only 16,486 bytes — 84,890 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.