Office (OLE) / .DOC malware analysis — malicious · 27673a2ba0ea206e

MALICIOUS

Office (OLE) / .DOC

71.9 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 6060abe0a697619d68fb3e3750987149 SHA-1: 2b4614403e37c20081760915fa280c9043ca3d2f SHA-256: 27673a2ba0ea206e7ee6fa5f17fb42064dd8590adecafb4783c3c0fb3e6f832b

120 Risk Score

Malware Insights

The file is a malicious OLE document with a significant slack space anomaly, indicating hidden or packed content. ClamAV identifies it as 'Doc.Dropper.Agent-1828508', strongly suggesting its purpose is to act as a dropper for other malware. The presence of VirtualAlloc API reference further supports the likelihood of dynamic code execution. No specific family could be identified, and no document body or script content was available for further analysis.

Heuristics 3

ClamAV: Doc.Dropper.Agent-1828508 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1828508
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 73,632 bytes but its declared streams total only 21,151 bytes — 52,481 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.