Malware Insights
The sample is a malicious OLE document exhibiting a large slack space anomaly, indicative of embedded malicious content. The PEB access heuristic suggests an attempt to evade detection or manipulate process information. The document body contains obfuscated VBA-like code that appears to be constructing registry paths for disabling Office features, likely to facilitate payload execution or persistence. Specifically, it constructs the registry path HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\3 and HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\1.doc, which could be used to bypass security measures or establish persistence.
Heuristics 2
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 86,016 bytes but its declared streams total only 16,486 bytes — 69,530 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.