Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 185ebb5e441e6478…

MALICIOUS

Office (OLE) / .DOC

116.1 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 1a703d4e0b8c1d640f95257e6ab4ff10 SHA-1: 7c00a8f7599c494235030ef4a649f940b051e72f SHA-256: 185ebb5e441e6478598798fc097d3053a6411f50cfb2007ed2fcf1d0a093dbdf
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE document with significant slack space and an appended payload, indicating it likely contains an embedded exploit. The heuristics suggest it is designed to execute a secondary payload, potentially through an embedded OLE object. The document body is heavily corrupted, preventing a clear understanding of its lure, but the technical indicators point towards exploitation.

Heuristics 4

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 118,848 bytes but its declared streams total only 16,486 bytes — 102,362 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00004c00.ole
195cac81b44271e23a420a1e9e069220e4e1223cf80daf04dce5fc85c3ccb4d1		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4C00 99392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.