Malicious Office (OLE) / .DOC — malware analysis report

Heuristics 3

• OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
  OLE file is 544,147 bytes but its declared streams total only 31,321 bytes — 512,826 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
• OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
  OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://microsoft.com0

  • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
  • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
  • http://go.microsoft.com/fwlink/?LinkID=91955ARPNOREPAIRARPNOMODIFYemptyfalseJoltVersionSOFTWARE\Microsoft\Silverlight[FullVersion
  • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
  • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
  • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
  • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
  • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
  • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
  • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
  • http://go.microsoft.com/fwlink/?LinkID=91955ARPNOREPAIRARPNOMODIFYemptyfalseJoltVersionSOFTWARE

Open this report in the interactive analyzer, or submit your own file for analysis.