Office (OLE) / .DOC malware analysis — malicious · 5721c6205974c5c5

MALICIOUS

Office (OLE) / .DOC

79.3 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.0

MD5: e227de143892891587054a28ca7209eb SHA-1: 78188f2003a5dcde940b55189b9fd186ea20f318 SHA-256: 5721c6205974c5c5fcbd9bb492797a8e140cf8380b98bf4fbddb76a87ccd2dc6

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The file exhibits characteristics of a malicious document, specifically a large amount of slack space and a detected NOP sled. These indicators point towards an attempt to exploit a vulnerability, likely a buffer overflow, to execute arbitrary code. No specific family could be identified due to the lack of executable code or network indicators.

Heuristics 2

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 81,156 bytes but its declared streams total only 16,486 bytes — 64,670 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.