Office (OLE) / .DOC malware analysis — malicious · 29129877b865b060

MALICIOUS

Office (OLE) / .DOC

90.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 7a4549e158da0d016cf45f2327a96ac6 SHA-1: 59f8a5cdf421b5fd3763d88059577ef0b968f591 SHA-256: 29129877b865b060a7675a0d882986676b6f66ab5c517f1efd6942034ab12ce1

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1059 Command and Scripting Interpreter

The sample is a malicious Microsoft Word document exhibiting a high degree of slack space anomaly, indicative of obfuscation or embedded malicious content. A PEB access heuristic suggests attempts to evade detection. The document body contains VBA-like code that reconstructs a registry path for disabling items, likely to bypass security measures. The script's intent appears to be to download and execute a second-stage payload, though the exact download URL is not fully reconstructed from the provided snippet.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 92,160 bytes but its declared streams total only 16,486 bytes — 75,674 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.