Office (OLE) / .DOC malware analysis — malicious · 51e5fbcdaa07a584

MALICIOUS

Office (OLE) / .DOC

127.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 39990eb8f9d7924af07599d32129386b SHA-1: 46c04d1fae243a1d5f961643af5a569ea854b38e SHA-256: 51e5fbcdaa07a5842e003061d89bc3fdb8808184c4e752c38bfbd3e154c0fb6f

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1059 Command and Scripting Interpreter

The document is a malicious OLE file that contains a high-severity heuristic firing for an x86 GetPC stub, indicating potential shellcode execution. The large slack space in the OLE structure is also anomalous. While no specific exploit or payload is directly identified, these indicators suggest the document is designed to exploit a vulnerability, likely to download and execute a secondary payload.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 130,561 bytes but its declared streams total only 16,536 bytes — 114,025 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.