Office (OLE) malware analysis — malicious · 94e7b0f383a3ca93

MALICIOUS

Office (OLE)

81.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 26156780bf5325f06c6140dba555841c SHA-1: f1bdc33dc0bbc3d14b94bc91adcb8c23ab9bafad SHA-256: 94e7b0f383a3ca938e167ee85710f2053bda1ab3b39b163bbfe466d2cb281f26

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample exhibits a high slack anomaly in its OLE structure, indicative of embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or manipulate process information. While no explicit script was extracted, the OLE structure and heuristics point towards a document-based exploit, likely designed to download and execute a secondary payload. The reconstructed registry key HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\h suggests an attempt to bypass Office security features.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 82,944 bytes but its declared streams total only 16,486 bytes — 66,458 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.