Office (OLE) / .DOC malware analysis — malicious · 0de32d651cef674f

MALICIOUS

Office (OLE) / .DOC

199.0 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 932c652141f0bda30d5f1fa4cca76ce3 SHA-1: 7edaaae55893082d647c9100a8674ad193e5dc2a SHA-256: 0de32d651cef674fff430a51e9f7ecfb886bfb4a0016926f1c34c967d2aa02a4

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The OLE document exhibits significant slack space and appended payload bytes, strongly suggesting it functions as a dropper. The heuristics indicate the presence of an executable payload appended to the OLE structure. While no document body or script content is available for further analysis, the appended payload is the primary indicator of malicious intent.

Heuristics 2

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 203,776 bytes but its declared streams total only 16,486 bytes — 187,290 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.