Office (OLE) malware analysis — malicious · 52e6490a52b34028

MALICIOUS

Office (OLE)

93.6 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 10f6f5e974f39e4ddb7f350bab55fce0 SHA-1: 2792bc50174fadd45789b15139224425c0097097 SHA-256: 52e6490a52b34028144817aa60b6be8fe12516ed8e898bff35c84d31445f6f8c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits a high severity heuristic firing for PEB access via FS segment, indicating an attempt to exploit a vulnerability or manipulate process information. The large slack space in the OLE structure suggests hidden or packed data, often used to conceal malicious code. While no specific document body content or scripts were clearly extracted, the PEB access heuristic strongly suggests an attempt to download and execute a secondary payload, aligning with common dropper functionalities.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 95,824 bytes but its declared streams total only 16,486 bytes — 79,338 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.