Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 eea1c6dd6ec212b6…

MALICIOUS

Office (OLE) / .DOC

169.8 KB
MD5: 676c5b27ca91ba7a5dd83a1551cb1696 SHA-1: 801ef6066ea15146dc021ead05c43a1fca2fc261 SHA-256: eea1c6dd6ec212b6843eb0c639776ac4c53fb4142fa2916103beb13587de211c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell

The sample exhibits a large amount of slack space within its OLE structure, which is often used to hide malicious content. Furthermore, heuristics indicate suspicious access to the PEB and a direct invocation of cmd.exe, suggesting an attempt to run a command-line payload. No document body text was available for further analysis.

Heuristics 3

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 173,834 bytes but its declared streams total only 94,801 bytes — 79,033 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.