Office (OLE) malware analysis — malicious · 2304ec9642649dc0

MALICIOUS

Office (OLE)

86.9 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.1

MD5: edb44382d42ae613eddec0151002ab74 SHA-1: 417e8a642c6adaf24c8995309bd5e0e565e928fc SHA-256: 2304ec9642649dc0612892b4adb2e57c17690432cfde32aba2c74e48d0efd86f

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File Execution T1204.002 Malicious File Execution: User Execution

The sample is a Microsoft Word document exhibiting a high degree of slack space, indicative of potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub (CALL $+5; POP EDI) firing suggests the document is designed to execute shellcode. While no specific document body content or scripts were extracted, the combination of these heuristics strongly points towards a document-based exploit targeting Microsoft Word.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 88,959 bytes but its declared streams total only 8,934 bytes — 80,025 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.