Office (OLE) / .DOC malware analysis — malicious · 79a228b048f7c9d4

MALICIOUS

Office (OLE) / .DOC

69.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 7c82b959698cb8a18b0c92817c7e48c9 SHA-1: 1a3c42e230bdadc5e7f49a597093968fefcbfca1 SHA-256: 79a228b048f7c9d46cd22c5c432cbf2eb3bfba20cc7d44ba019751bac2dc56f0

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits a large slack space anomaly, indicative of hidden data or shellcode. The PEB access heuristic suggests the presence of shellcode designed to interact with the process environment. The reconstructed registry path HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\h indicates an attempt to disable security features or establish persistence. The overall behavior points to a malicious document designed to download and execute a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 70,656 bytes but its declared streams total only 16,486 bytes — 54,170 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.