Office (OLE) / .DOC malware analysis — malicious · 1a03e34884b07559

MALICIOUS

Office (OLE) / .DOC

132.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 5e72e89f3ebb00be82bef199007c5c89 SHA-1: 546c03b7cb1d286f5bc0e597068a88d17da3aee3 SHA-256: 1a03e34884b0755987cf63909c25bad66ac42360c2cd2324bf92bdf0d9f22c1d

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document with a large amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate PEB access, often used by malware to evade detection. The document body contains VBA code that attempts to write to the registry key HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\h, likely to disable security features or establish persistence. The VBA code also appears to contain functions for file operations and process execution, suggesting it's a downloader or initial execution stage.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 135,216 bytes but its declared streams total only 16,486 bytes — 118,730 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.