Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2f30cd63d210efbb…

MALICIOUS

Office (OLE)

160.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: e56f042b63ecbfa1ca31e25b3d94c409 SHA-1: 1e29c4be0ddf53afdafd9032986c4e15b369d58d SHA-256: 2f30cd63d210efbbbb631cb65fe91d658c6bc42accc4b293206da0aa64d7a927
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The OLE document exhibits a large slack space anomaly, indicating potential hidden content or malicious structures. The PEB access heuristic suggests the file attempts to interact with the process environment, likely to evade detection or facilitate payload execution. While no specific document body text or scripts were clearly extracted, the heuristics point towards a malicious document designed to exploit vulnerabilities and download further stages.

Heuristics 2

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 163,840 bytes but its declared streams total only 16,486 bytes — 147,354 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.