Office (OLE) / .DOC malware analysis — malicious · 220109bdb60e7f31

MALICIOUS

Office (OLE) / .DOC

93.4 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: d7f8dfe8cd23286a7b6879ed8ce2d7fe SHA-1: 95b7fe855389ec4cc71537776f5a7b807308c585 SHA-256: 220109bdb60e7f31987fc3c95dcd2c6acd71a556598824cb857c4b7d50156843

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is a malicious OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic firing suggests the exploitation of a code execution vulnerability within the document. Without further script or body content, the exact exploit and payload remain undetermined, but the overall pattern points to a classic Office exploit document.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 95,615 bytes but its declared streams total only 16,543 bytes — 79,072 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.