Office (OLE) malware analysis — malicious · 88fa9fa914abb2d7

MALICIOUS

Office (OLE)

176.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 9dfe51950267516993941fc565e0b4f0 SHA-1: 269a3ff976413bd1fea62dc04ca2e6f974261bdd SHA-256: 88fa9fa914abb2d7cc93ea1ff16865516d84837cc29617ceec052872cf98ca9e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The sample is an OLE document with a large amount of slack space, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to interact with the process environment, often used for evasion or payload execution. While no specific script was extracted, the presence of an embedded URL and the overall structure point towards a malicious document designed to exploit vulnerabilities and download further stages.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 180,224 bytes but its declared streams total only 16,486 bytes — 163,738 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.