Office (OLE) malware analysis — malicious · 6db8be78203ac190

MALICIOUS

Office (OLE)

148.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 10ad7e40be00e2feedb0e160cdf070fa SHA-1: a62f930cb5a385d723dd73ab042f6fc354924804 SHA-256: 6db8be78203ac19080f9f5515017c80df8265a7baa4baf000179e2ace801adfb

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample exhibits high heuristic scores for PEB access and a large slack space anomaly, indicative of obfuscation or exploit code. The document body contains numerous embedded OLE objects and what appear to be API calls for file operations and execution, suggesting an attempt to download and run a second-stage payload. Without further script or URL evidence, the exact family and payload remain unknown.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 151,552 bytes but its declared streams total only 16,486 bytes — 135,066 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.