Office (OLE) / .DOC malware analysis — malicious · 7dbd4ec766b199a4

MALICIOUS

Office (OLE) / .DOC

119.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 0d0b00fd6808258868f013497714986e SHA-1: 7b1e25c5c1b60e369dc6f144c054e4631d65c448 SHA-256: 7dbd4ec766b199a4612b6ecacdcb2cb9b66e491147c8f9a7159f0811d908d1f3

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or manipulate process information. While no explicit script was extracted, the Office facts reveal VBA code that likely attempts to write to the registry key HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3 and HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\1.doc, potentially to establish persistence or disable security features, and then execute a payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 121,904 bytes but its declared streams total only 16,486 bytes — 105,418 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.