Office (OLE) / .DOC malware analysis — malicious · 22a3525666044a8c

MALICIOUS

Office (OLE) / .DOC

1.75 MB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: dd90e2c7337cd72924c89e0068cdefd6 SHA-1: b49ebb8e175f52ffe01d51b0e50a59a775722d8b SHA-256: 22a3525666044a8cc1b0ca6765d5c07fd3bd94c8384800e99336aebcfb74a0f1

80 Risk Score

Malware Insights

The file is a Microsoft Word document with a significant amount of slack space, a common technique for obfuscating malicious content. The 'x86 GetPC stub' heuristic firing suggests the presence of shellcode. While no specific malicious behavior was directly observed in the document body or scripts, the structural anomalies and heuristic firings indicate a high likelihood of it being a malicious container.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,834,497 bytes but its declared streams total only 16,536 bytes — 1,817,961 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.