Office (OLE) / .DOC malware analysis — malicious · 31315240cd6c5790

MALICIOUS

Office (OLE) / .DOC

73.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: af3f49809c41fd5a331cb71c5f849768 SHA-1: 606e46e9b96c9be7bf50a040ccf29f018ecd1112 SHA-256: 31315240cd6c5790a677ffab53de28b18e32a6487fb87194930b5e636fd53239

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The file is identified as malicious by ClamAV with the signature Win.Exploit.Shellcode-23, indicating it contains shellcode. High severity heuristics for NOP sled and OLE slack anomaly further support the presence of injected or obfuscated code. The document body is heavily corrupted, preventing analysis of its specific lure, but the overall evidence points to a classic exploit document designed to drop and execute a secondary payload.

Heuristics 3

ClamAV: Win.Exploit.Shellcode-23 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.Shellcode-23
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 75,264 bytes but its declared streams total only 16,486 bytes — 58,778 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.