Office (OLE) malware analysis — malicious · f351581212e1c095

MALICIOUS

Office (OLE)

68.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 3e7351c030f0e27b26daa7e2c0178ba1 SHA-1: 702975fac9ad46952b461583e71fb476caeefc93 SHA-256: f351581212e1c09588b1f2b84ec74f2e51a48fea482d73e724558cb1ebdf824b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The file is a malicious Microsoft Word document. Heuristics indicate potential PEB access and a large slack space anomaly, suggesting obfuscation or malicious code. The document body contains VBA-like functions that appear to interact with the file system and registry, specifically referencing registry keys related to disabled Office items. This suggests the document is designed to exploit a vulnerability and potentially download a second-stage payload.

Heuristics 2

PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 69,632 bytes but its declared streams total only 16,486 bytes — 53,146 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.