Malware Insights
The sample is a malicious OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate PEB access, often used by malware to evade detection. The document body contains obfuscated VBA-like code that appears to reconstruct registry paths and potentially execute commands, specifically targeting 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems'. This suggests an attempt to disable security features or establish persistence. The exact execution flow and final payload are not fully discernible due to the obfuscation and truncated nature of the extracted script.
Heuristics 3
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 106,496 bytes but its declared streams total only 16,486 bytes — 90,010 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml
Open this report in the interactive analyzer, or submit your own file for analysis.