Malware Insights
The sample exhibits a high degree of slack space within the OLE structure, a common indicator of packed or obfuscated malicious content. Additionally, a PEB access heuristic suggests attempts to evade detection or manipulate process information. The document body contains VBA-like function calls that reconstruct registry paths and filenames, indicating an attempt to establish persistence or modify system settings. Specifically, it appears to be writing to 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3' and 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\1.doc', likely to disable security features or ensure continued execution.
Heuristics 2
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 325,120 bytes but its declared streams total only 16,486 bytes — 308,634 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.