Office (OLE) / .DOC malware analysis — malicious · ca6e80b6596fcdcc

MALICIOUS

Office (OLE) / .DOC

227.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 974babb0d8bed3a6b72cb759477cb292 SHA-1: a1735296b76e974d69b9034ff09da535bf16f4f7 SHA-256: ca6e80b6596fcdccfcc9300a242c3a4181c489943f592ce02e88e109f44de975

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicating potential obfuscation or embedded malicious content. A PEB access heuristic firing suggests the document may attempt to interact with the process environment to facilitate exploitation. While no specific script or VBA was extracted, the heuristics and file type strongly suggest an attempt to exploit a vulnerability to download and execute a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 232,448 bytes but its declared streams total only 16,486 bytes — 215,962 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.