Office (OLE) / .DOC malware analysis — malicious · 52d8ec843e222401

MALICIOUS

Office (OLE) / .DOC

187.3 KB

MD5: 9e51cb036b5138e78e01dd7621e73bfc SHA-1: 09654dcf855b57137affbd4c9ab7a853c425405e SHA-256: 52d8ec843e222401e0cfb64c13d2d7ee7b17fda2a23d850ce0df176d6d1132f0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell

The sample exhibits a large amount of slack space within its OLE structure, which is often used to hide malicious content. Furthermore, heuristics indicate suspicious access to the Process Environment Block (PEB) and a suspicious invocation of cmd.exe. These indicators suggest the document is designed to execute a command-line payload.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 191,745 bytes but its declared streams total only 94,801 bytes — 96,944 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.