Office (OLE) / .DOC malware analysis — malicious · 05b86b18156c8c2e

MALICIOUS

Office (OLE) / .DOC

150.0 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: c4caacdd96c51e810343ddec2c65987f SHA-1: 2e8b50755d3eff83fc5de8dbef2fb817e3944921 SHA-256: 05b86b18156c8c2ede507c24fe9347c4478113d6bf57fd39d30f25afbbe50156

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OLE document exhibiting a high-severity OLE slack anomaly and a high-severity x86 GetPC stub, indicating potential malicious code execution. The document body is unreadable, and no scripts were extracted, limiting further analysis. The presence of these indicators suggests an attempt to exploit a client execution vulnerability.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 153,601 bytes but its declared streams total only 16,536 bytes — 137,065 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.