Office (OLE) / .DOC malware analysis — malicious · b32f5e5a8d05b314

MALICIOUS

Office (OLE) / .DOC

478.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 81ae77a493613e53cc897a802888a3c8 SHA-1: 8c4cffa3d291f8fb7b286ad86cf049337da1b9a5 SHA-256: b32f5e5a8d05b314335c3a603791ba7d2e5b7cc326e54e927b54f8218478cfb6

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of embedded malicious content. A high-severity heuristic firing for PEB access suggests an attempt to evade detection or manipulate process information. The document body contains VBA code that reconstructs a registry path for disabling Office features, likely to facilitate further malicious activity. This indicates an attempt to exploit a vulnerability to download and execute a second-stage payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 489,984 bytes but its declared streams total only 16,486 bytes — 473,498 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.