Office (OLE) / .DOC malware analysis — malicious · 0c0dbe54ce8ee580

MALICIOUS

Office (OLE) / .DOC

107.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: fa8c1af4d894b081f676ab9b3a772db7 SHA-1: 0ac01dd39d225c61f3b9256de94592c1ce4f4b47 SHA-256: 0c0dbe54ce8ee5802dee68771ea45d29dda16f712388c12c344a7bfd51200bda

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document. Static analysis detected a heuristic indicating an attempt to exploit a vulnerability via a GetPC stub, commonly used in shellcode execution. The large amount of slack space in the OLE structure further suggests obfuscation or embedded exploit code. No specific family could be identified, and no document body or scripts were available for further analysis.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 110,081 bytes but its declared streams total only 16,536 bytes — 93,545 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.