Office (OLE) / .DOC malware analysis — malicious · e78bfb4273d1b03a

MALICIOUS

Office (OLE) / .DOC

50.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 589dd6b967fc93f5acbdc80433ec5e57 SHA-1: 48d3b75b355876c333fcb9fff7d954420ab8201f SHA-256: e78bfb4273d1b03adff8ab540b4138801872b81e5e62f97f80fb98b18784a862

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of potential obfuscation or embedded malicious content. The 'SC_PEB_ACCESS' heuristic suggests the document attempts to interact with the Process Environment Block, a common technique for malware to gain information or manipulate processes. While no specific script was extracted, the combination of heuristics and the document's malicious verdict strongly suggests an exploit attempt to download and execute a secondary payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 51,693 bytes but its declared streams total only 16,486 bytes — 35,207 bytes (68%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.