Office (OLE) malware analysis — malicious · 0b066797cca05259

MALICIOUS

Office (OLE)

89.2 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 273230e24b66df6b0a74185201b84449 SHA-1: dbd34217ec02be7c0e3d9930918884656d2cf87f SHA-256: 0b066797cca05259cb73d9be927ac36a120df143d688f8bd6a48efd2dc91c586

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is an OLE document with a large amount of slack space, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or gain elevated privileges. While no specific document body text or scripts were clearly extracted, the combination of these indicators points towards an exploit attempting to download and execute a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 91,352 bytes but its declared streams total only 16,486 bytes — 74,866 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.