Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 556b29673c4b5c37…

MALICIOUS

Office (OLE) / .DOC

680.0 KB Created: 2010-03-15 07:42:00 Authoring application: Microsoft Office Word
MD5: 75beb0995643501f33c3338dfea09280 SHA-1: 57cee1fd558ea87911082322a6a1e3b2cf1380e2 SHA-256: 556b29673c4b5c37ec841452cb3fbfee3c425ff5211749f863ef05f2873d4b6f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1027 Obfuscated Files or Information

The document contains a NOP sled, indicating potential shellcode execution. The presence of an EMF object within an EPRINT stream is also suspicious. While the document body discusses technical integration requirements, the underlying structure suggests an attempt to hide malicious code. No scripts were extracted from this sample.

Heuristics 3

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.