Office (OLE) malware analysis — malicious · 1ec2ea265af2328e

MALICIOUS

Office (OLE)

101.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 8c25118ed5dfef4b378b4e499a0856c5 SHA-1: 12bb21653c9c0023974425bc80a97ec9f80d375e SHA-256: 1ec2ea265af2328eeca1e7b09090e2da6991ff010c5d9172c00aab27548353dd

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The sample is an OLE document with a large slack space anomaly, indicative of obfuscation. A heuristic firing for PEB access suggests potential exploitation. The document body contains VBA-like code that attempts to write to the registry key HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\{3C4D25E0-E689-4194-987B-000000000000}, likely to disable security features or establish persistence. The embedded URL is benign, but the overall structure and heuristics point to a malicious document designed to exploit a vulnerability and download a secondary payload.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 103,424 bytes but its declared streams total only 16,486 bytes — 86,938 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.