Office (OLE) / .DOC malware analysis — malicious · 3a37afb723285f62

MALICIOUS

Office (OLE) / .DOC

195.5 KB

MD5: c185f71dcde4da60e93636bbb5b4d7f9 SHA-1: 7319480684d78123de50590f1b10a255df132bd4 SHA-256: 3a37afb723285f6226f18b558df0c15948924cd904a7bbaf1ed248d98c2941f8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. A high-severity heuristic detected a suspicious invocation of cmd.exe with an execution flag, suggesting the document's intent is to run a command-line payload. No document body text was available for further analysis.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 200,193 bytes but its declared streams total only 94,801 bytes — 105,392 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.