Office (OLE) / .DOC malware analysis — malicious · 0d1d3e131a689255

MALICIOUS

Office (OLE) / .DOC

79.3 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.0

MD5: 8150d106744c50d8a844ea375f62f48d SHA-1: 6cf178832d46e030c1de613d2e7fe00be234cf02 SHA-256: 0d1d3e131a6892555defc992f46ab2b10266a652b266e0ff14fd45fa2ca8fd19

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is a Microsoft Word document exhibiting characteristics of a malicious exploit, including a NOP sled and a large slack space anomaly. The malformed document body and the presence of a NOP sled strongly indicate an attempt to exploit a client execution vulnerability.

Heuristics 2

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 81,156 bytes but its declared streams total only 16,486 bytes — 64,670 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.