Office (OLE) / .DOC malware analysis — malicious · 409a50033c4dee2b

MALICIOUS

Office (OLE) / .DOC

88.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 30031a4f54bf4014fc95dcec12d6a013 SHA-1: 78ea2e6bc89c771ff6c5c5f3a119e198d602dc8a SHA-256: 409a50033c4dee2b8cec615b0f8f127532aa60eeb25d09b2fd3314a6e98f6588

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File Execution T1059 Command and Scripting Interpreter

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of embedded malicious content. A high-severity heuristic firing for PEB access via FS segment suggests an attempt to bypass security mechanisms or gain low-level system access. While no specific document body content or scripts were clearly extracted, the combination of these indicators points towards an exploit attempting to execute arbitrary code.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 90,624 bytes but its declared streams total only 16,486 bytes — 74,138 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.