Office (OLE) / .DOC malware analysis — malicious · c1c37a8b5a4f2bd6

MALICIOUS

Office (OLE) / .DOC

89.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: fe6bf0f7ad9c62f7592979c24eeef29a SHA-1: 89723563a0fa0a9eea247bef4ffb9a695c8da829 SHA-256: c1c37a8b5a4f2bd6f64feb3de10dfb6607e4021431aec6d2b4f3526cdb5afa96

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of potential obfuscation or embedded malicious content. The document body contains obfuscated strings that, when reconstructed, reveal a registry path for disabling Office add-ins: HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\DisabledItems. This suggests an attempt to bypass security measures or maintain persistence. The PEB access heuristic further supports the malicious nature of the file, likely related to process manipulation or evasion.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 91,648 bytes but its declared streams total only 16,486 bytes — 75,162 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.