Office (OLE) / .DOC malware analysis — malicious · a157386ccd6e8648

MALICIOUS

Office (OLE) / .DOC

69.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 43e1b72530be855f7d434264f4164ec2 SHA-1: 56e8cccf865c9383ce311276e8e85c9a1c341a74 SHA-256: a157386ccd6e864892c853ddcaa865e2612cf05346f34e666c74016a56ff1e35

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or manipulate process information. While no explicit script was extracted, the document body contains numerous API calls related to file operations and execution (e.g., CreateFileW, WriteFile, WinExec, CloseHandle, ExitThread), strongly suggesting the document's purpose is to download and execute a second-stage payload. The benign URL listed is likely a decoy or part of the document's structure rather than a malicious indicator.

Heuristics 3

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 71,168 bytes but its declared streams total only 16,486 bytes — 54,682 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.