Office (OLE) / .DOC malware analysis — malicious · 2c0bd00725721819

MALICIOUS

Office (OLE) / .DOC

229.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 5134ab409394b7eb30b8520f19be19f2 SHA-1: 139f153d1d9cf7ca741cb71ed7cf92689dfe046d SHA-256: 2c0bd00725721819ddc32dba9d1819a6783b28d46bef2290e3cf56c0912e8877

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub further suggests the exploitation of a vulnerability within Microsoft Word to achieve arbitrary code execution. Without further script or body content, the specific exploit and payload remain undetermined.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 235,009 bytes but its declared streams total only 16,536 bytes — 218,473 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.