Office (OLE) / .DOC malware analysis — malicious · 3e01aad932fca99a

MALICIOUS

Office (OLE) / .DOC

136.2 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 9efdb3de597daa179889d656129d51bd SHA-1: c44274bb2cd8876e5d9b884c5b36897750f10bbf SHA-256: 3e01aad932fca99ae4bd91cc43702519d3a94206fbd74da1f42968387651fe41

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of embedded malicious content. Heuristics indicate PEB access, suggesting an attempt to bypass security mechanisms. The embedded VBA code, when reconstructed, reveals attempts to write to the registry key HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3 and potentially execute a file named '1.doc', likely to establish persistence or load a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 139,504 bytes but its declared streams total only 16,486 bytes — 123,018 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.