Office (OLE) / .DOC malware analysis — malicious · 694e8203f811a305

MALICIOUS

Office (OLE) / .DOC

213.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: cff2bf9157507f37789980055d2d01f0 SHA-1: 291d9ab414ecbff0b90e54a9dee65227a3581539 SHA-256: 694e8203f811a305c24be762a24ee460ea49e82b190ce5135c0bbf9794386ca1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is identified as malicious due to high-severity heuristics indicating an appended executable payload and significant OLE slack anomalies. The presence of appended executable-looking bytes strongly suggests the file is a dropper or downloader for a secondary stage. While no specific document body text or scripts were clearly extracted, the overall structure and heuristic firings point towards a malicious OLE file, likely delivered via spearphishing attachment, intended to execute arbitrary code.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 218,160 bytes but its declared streams total only 16,486 bytes — 201,674 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.