Office (OLE) / .DOC malware analysis — malicious · 4024f261887a6036

MALICIOUS

Office (OLE) / .DOC

109.0 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: c21a9fae2bcaeafe41a821b261c22f4c SHA-1: d446c59b569271cb2b1831340c6d6fa59538a3d0 SHA-256: 4024f261887a60365e56beadfe5d9eb3bcc46d50d7f57c18b83e68ab0a4b1182

80 Risk Score

Malware Insights

The file is an OLE document with a significant amount of slack space, which is often used to hide malicious code or exploits. The 'x86 GetPC stub' heuristic firing indicates the presence of shellcode. No document body or scripts were extracted, limiting the ability to determine the exact attack pattern or family. The file is classified as malicious.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 111,617 bytes but its declared streams total only 16,536 bytes — 95,081 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.