Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cf3ff26b993d7cf8…

MALICIOUS

Office (OLE)

136.2 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 4efb9b62ba1c8629d6f0603cc3a64dc5 SHA-1: a6dc31572f3d1a56068ad67432ed2d1c7994dc81 SHA-256: cf3ff26b993d7cf8edb3d69a58d084e5c04e420f5d5adb99caf6db5b01cfc74b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The OLE document exhibits a large slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristics indicate PEB access, suggesting an attempt to manipulate process information. The document body contains reconstructed strings pointing to registry keys used for persistence, specifically 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\Disab', which is likely used to disable security features or load malicious components.

Heuristics 2

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 139,504 bytes but its declared streams total only 16,486 bytes — 123,018 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.