Office (OLE) / .DOC malware analysis — malicious · dd9cf0846cde53fc

MALICIOUS

Office (OLE) / .DOC

119.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 136bff1bd5259c968a8045f58bbfdfbf SHA-1: 93f4d67ba334d51d23697280109f881b8e49bc73 SHA-256: dd9cf0846cde53fcb74c99283bc6e824c30b5b5eeded2c899e6c389a2f263cfb

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is a malicious OLE document with a large slack space anomaly, indicating potential obfuscation or embedded malicious content. The SC_PEB_ACCESS heuristic suggests the document attempts to access process information, likely to facilitate exploitation. While no specific script was extracted, the combination of these indicators points to an exploit attempt designed to download and execute a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 121,904 bytes but its declared streams total only 16,486 bytes — 105,418 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.