Office (OLE) / .DOC malware analysis — malicious · d5ee192dc4ae87ee

MALICIOUS

Office (OLE) / .DOC

86.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 1a8521c0de66ebfdc7fc54e0533a12b2 SHA-1: 8c92e54b440e2ad867a2ddc776eaec0e9bf3ce00 SHA-256: d5ee192dc4ae87ee53d1c11710f5e5a40fce97085231bac7e69539f81c396a5a

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits a high degree of slack space, a common indicator of packed or obfuscated malicious content. The PEB access heuristic suggests the malware is attempting to evade detection. While no specific document body content or scripts were extracted, the combination of these heuristics points towards a malicious document designed to download and execute a secondary payload, likely via obfuscated code or an exploit.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,064 bytes but its declared streams total only 16,486 bytes — 71,578 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.