Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0ff4cf5a4281c3d0…

MALICIOUS

Office (OLE) / .DOC

113.4 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 25d1f6ccf890e51012c860a03045a749 SHA-1: b390f5e89c72aff39577c38f0ce38abbf32f55bf SHA-256: 0ff4cf5a4281c3d036d55c643f36a819639963efdd49916b3e02f6ea03266f0b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a malicious OLE document exhibiting a large slack space anomaly and a detected NOP sled, indicative of shellcode execution. The document body is heavily corrupted, preventing analysis of its specific lure. The presence of these indicators strongly suggests an exploit is embedded within the document, designed to execute arbitrary code upon opening.

Heuristics 2

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 116,080 bytes but its declared streams total only 16,486 bytes — 99,594 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.