Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0caf108a511c64cd…

MALICIOUS

Office (OLE) / .DOC

100.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: b91a5179527f6d9cb7276da467c6c379 SHA-1: 77a34cd7d3a793988a759d00158dfa1ea2858315 SHA-256: 0caf108a511c64cd9df40f3601fc9d25f0f0925699db27f6aa69481df4fd8373
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample exhibits characteristics of a malicious Office document, including a large slack space anomaly and PEB access, suggesting an attempt to exploit a vulnerability. The embedded URLs, while mostly benign or unknown, indicate potential download sources for a secondary payload. The document body contains obfuscated strings that appear to be API calls for file operations and process execution, further supporting the hypothesis of a downloader or exploit.

Heuristics 3

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 102,400 bytes but its declared streams total only 16,486 bytes — 85,914 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.libdemvoice.org/author/stephen-tall/
    • http://network.libdems.org.uk/manifesto2010/libdem_2010_world.pdf
    • http://www.chrishuhne.org.uk/news/11/blair_prejudges_energy_review_and_backs_nuclear.html
    • http://www.libdemvoice.org/text-of-the-conservative-lib-dem-agreement-19458.html
    • http://www.libdemvoice.org/category/news
    • http://www.libdemvoice.org/category/voice-polls
    • http://www.libdemvoice.org/tag/chris-huhne
    • http://www.libdemvoice.org/tag/energy
    • http://www.libdemvoice.org/tag/nuclear-power
    • http://www.libdemvoice.org/new-poll-should-nuclear-power-be-part-of-the-uks-energy-mix-20645.html
    • http://ldv.org.uk/20645
    • http://www.libdemvoice.org/new-poll-should-nuclear-power-be-part-of-the-uks-energy-mix-20645.html/feed
    • http://www.bbc.co.uk/news/uk-politics-10910898

Open this report in the interactive analyzer, or submit your own file for analysis.