Malicious Office (OLE) / .DO — malware analysis report

Static analysis result for SHA-256 1964e3e1551f9d62…

MALICIOUS

Office (OLE) / .DO

54.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: e002d8caaed74f3783ac153bb54577ca SHA-1: 9bb18dec5c45556038b349163452536f258c6886 SHA-256: 1964e3e1551f9d625cc028c21d1b2a8548f3c29aa923457b93653a1bd5164373
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE document exhibiting a high degree of slack space, indicative of potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to interact with the process environment, often a precursor to exploitation. While no specific exploit or payload is directly identified, these indicators point towards an attempt to execute arbitrary code.

Heuristics 2

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 55,296 bytes but its declared streams total only 16,486 bytes — 38,810 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.