Office (OLE) / .DOC malware analysis — malicious · e08dc406e0380f7b

MALICIOUS

Office (OLE) / .DOC

90.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 7652dce31d3dd783c8621edf7cfa024f SHA-1: 4656ebfbc4ed0bf055eb284db721bcec1345c119 SHA-256: e08dc406e0380f7b8c7634e77f9b7eea0c9402f13141bb75b468656b5444ac7e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious Microsoft Word document that exhibits a large slack space anomaly, suggesting hidden or malicious content. The PEB access heuristic indicates potential anti-analysis or code injection techniques. The document body contains obfuscated strings that reconstruct registry paths related to disabled Word items, likely to bypass security controls and ensure execution. The reconstructed paths are HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3 and HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\1.doc.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 92,160 bytes but its declared streams total only 16,486 bytes — 75,674 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.