Malware Insights
The sample is a malicious OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or manipulate process information. The document body contains VBA-like functions that appear to be constructing registry paths and filenames, likely for persistence or payload staging. Specifically, it constructs registry paths such as 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3' and 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3.doc', which are then likely used to establish persistence or store downloaded payloads.
Heuristics 2
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 139,504 bytes but its declared streams total only 16,486 bytes — 123,018 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.