Office (OLE) / .DOC malware analysis — malicious · 0f9c71f0589f6c7b

MALICIOUS

Office (OLE) / .DOC

77.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: b677de1ecd1396924664ba93a987dacc SHA-1: 27d1a0d6b412328d9d3bf6d984bbe25af89b3b73 SHA-256: 0f9c71f0589f6c7bbc9631f01c846c8dd8a438ff5aa532a2a7d6a5e6c884a00e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document exhibiting a large amount of slack space, indicative of potential obfuscation or embedded malicious content. Heuristics indicate PEB access, suggesting attempts to evade detection or manipulate process information. The document body contains VBA-like constructs that appear to attempt to write to the registry key HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\DisabledItems, likely to establish persistence or disable security features, and potentially execute further code.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 79,360 bytes but its declared streams total only 16,486 bytes — 62,874 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.