Office (OLE) / .DOC malware analysis — malicious · 03ad678d3e9fcc17

MALICIOUS

Office (OLE) / .DOC

113.7 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 01ea52396fecd0e0d6f1c49847b3e698 SHA-1: b70a683e9d376c7c3599039a3b10f66903e379d7 SHA-256: 03ad678d3e9fcc1776aa4cf7e25ac7f8a019cdefed880565635216675f52fda2

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document. Static analysis detected a high-severity heuristic firing for an x86 GetPC stub, indicating the presence of shellcode. Additionally, an OLE slack anomaly suggests the document may contain hidden or obfuscated data. The combination of these findings points to an attempt to exploit a client execution vulnerability.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 116,465 bytes but its declared streams total only 16,536 bytes — 99,929 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.