MALICIOUS
140
Risk Score
Malware Insights
The file exhibits high-severity heuristics including a heap spray pattern and significant slack space, strongly suggesting it is not a benign document. ClamAV detection as 'Doc.Trojan.WhiteIce-1' further supports its malicious nature. The document body discusses anti-pyramid scheme efforts, which is likely a lure or obfuscation for the underlying malicious functionality.
Heuristics 3
-
ClamAV: Doc.Trojan.WhiteIce-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.WhiteIce-1
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly00026E3A 41 inc ecx 00026E3B 41 inc ecx 00026E3C 41 inc ecx 00026E3D 41 inc ecx 00026E3E 41 inc ecx 00026E3F 41 inc ecx 00026E40 41 inc ecx 00026E41 41 inc ecx 00026E42 41 inc ecx 00026E43 41 inc ecx 00026E44 41 inc ecx 00026E45 41 inc ecx 00026E46 41 inc ecx 00026E47 41 inc ecx 00026E48 41 inc ecx 00026E49 41 inc ecx 00026E4A 41 inc ecx 00026E4B 41 inc ecx 00026E4C 41 inc ecx 00026E4D 41 inc ecx 00026E4E 41 inc ecx 00026E4F 41 inc ecx 00026E50 41 inc ecx 00026E51 41 inc ecx 00026E52 41 inc ecx 00026E53 41 inc ecx 00026E54 41 inc ecx 00026E55 41 inc ecx 00026E56 41 inc ecx 00026E57 41 inc ecx 00026E58 41 inc ecx 00026E59 41 inc ecx 00026E5A 41 inc ecx 00026E5B 41 inc ecx 00026E5C 41 inc ecx 00026E5D 41 inc ecx 00026E5E 41 inc ecx 00026E5F 41 inc ecx 00026E60 41 inc ecx 00026E61 41 inc ecx 00026E62 41 inc ecx 00026E63 41 inc ecx 00026E64 41 inc ecx 00026E65 41 inc ecx 00026E66 41 inc ecx 00026E67 41 inc ecx 00026E68 41 inc ecx 00026E69 41 inc ecx 00026E6A 41 inc ecx 00026E6B 41 inc ecx 00026E6C 41 inc ecx 00026E6D 41 inc ecx 00026E6E 41 inc ecx 00026E6F 41 inc ecx 00026E70 41 inc ecx 00026E71 41 inc ecx 00026E72 41 inc ecx 00026E73 41 inc ecx 00026E74 41 inc ecx 00026E75 41 inc ecx 00026E76 41 inc ecx 00026E77 41 inc ecx 00026E78 41 inc ecx 00026E79 41 inc ecx 00026E7A 41 inc ecx 00026E7B 41 inc ecx 00026E7C 41 inc ecx 00026E7D 41 inc ecx 00026E7E 41 inc ecx 00026E7F 41 inc ecx 00026E80 41 inc ecx 00026E81 41 inc ecx 00026E82 41 inc ecx 00026E83 41 inc ecx 00026E84 41 inc ecx 00026E85 41 inc ecx 00026E86 41 inc ecx 00026E87 41 inc ecx 00026E88 41 inc ecx 00026E89 41 inc ecx 00026E8A 41 inc ecx 00026E8B 41 inc ecx 00026E8C 41 inc ecx 00026E8D 41 inc ecx 00026E8E 41 inc ecx 00026E8F 41 inc ecx 00026E90 41 inc ecx 00026E91 41 inc ecx 00026E92 41 inc ecx 00026E93 41 inc ecx 00026E94 41 inc ecx 00026E95 41 inc ecx 00026E96 41 inc ecx 00026E97 41 inc ecx 00026E98 41 inc ecx 00026E99 41 inc ecx
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 383,488 bytes but its declared streams total only 144,235 bytes — 239,253 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.