Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f07ef6827b898cb…

MALICIOUS

Office (OLE)

374.5 KB Created: 2012-06-05 08:33:00 Authoring application: Microsoft Office Word First seen: 2015-10-01
MD5: a14577ba91a9aa6f3f679eae41718bd0 SHA-1: 516021f372dbe4df141530788dae90a71c1913d1 SHA-256: 5f07ef6827b898cb8a8b2850773ecfb87183e5d5af4d86e9eaab17bd2ad11a86
140 Risk Score

Malware Insights

The file exhibits high-severity heuristics including a heap spray pattern and significant slack space, strongly suggesting it is not a benign document. ClamAV detection as 'Doc.Trojan.WhiteIce-1' further supports its malicious nature. The document body discusses anti-pyramid scheme efforts, which is likely a lure or obfuscation for the underlying malicious functionality.

Heuristics 3

  • ClamAV: Doc.Trojan.WhiteIce-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.WhiteIce-1
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly
    Attempted x86 opcode disassembly
    00026E3A  41                inc ecx
    00026E3B  41                inc ecx
    00026E3C  41                inc ecx
    00026E3D  41                inc ecx
    00026E3E  41                inc ecx
    00026E3F  41                inc ecx
    00026E40  41                inc ecx
    00026E41  41                inc ecx
    00026E42  41                inc ecx
    00026E43  41                inc ecx
    00026E44  41                inc ecx
    00026E45  41                inc ecx
    00026E46  41                inc ecx
    00026E47  41                inc ecx
    00026E48  41                inc ecx
    00026E49  41                inc ecx
    00026E4A  41                inc ecx
    00026E4B  41                inc ecx
    00026E4C  41                inc ecx
    00026E4D  41                inc ecx
    00026E4E  41                inc ecx
    00026E4F  41                inc ecx
    00026E50  41                inc ecx
    00026E51  41                inc ecx
    00026E52  41                inc ecx
    00026E53  41                inc ecx
    00026E54  41                inc ecx
    00026E55  41                inc ecx
    00026E56  41                inc ecx
    00026E57  41                inc ecx
    00026E58  41                inc ecx
    00026E59  41                inc ecx
    00026E5A  41                inc ecx
    00026E5B  41                inc ecx
    00026E5C  41                inc ecx
    00026E5D  41                inc ecx
    00026E5E  41                inc ecx
    00026E5F  41                inc ecx
    00026E60  41                inc ecx
    00026E61  41                inc ecx
    00026E62  41                inc ecx
    00026E63  41                inc ecx
    00026E64  41                inc ecx
    00026E65  41                inc ecx
    00026E66  41                inc ecx
    00026E67  41                inc ecx
    00026E68  41                inc ecx
    00026E69  41                inc ecx
    00026E6A  41                inc ecx
    00026E6B  41                inc ecx
    00026E6C  41                inc ecx
    00026E6D  41                inc ecx
    00026E6E  41                inc ecx
    00026E6F  41                inc ecx
    00026E70  41                inc ecx
    00026E71  41                inc ecx
    00026E72  41                inc ecx
    00026E73  41                inc ecx
    00026E74  41                inc ecx
    00026E75  41                inc ecx
    00026E76  41                inc ecx
    00026E77  41                inc ecx
    00026E78  41                inc ecx
    00026E79  41                inc ecx
    00026E7A  41                inc ecx
    00026E7B  41                inc ecx
    00026E7C  41                inc ecx
    00026E7D  41                inc ecx
    00026E7E  41                inc ecx
    00026E7F  41                inc ecx
    00026E80  41                inc ecx
    00026E81  41                inc ecx
    00026E82  41                inc ecx
    00026E83  41                inc ecx
    00026E84  41                inc ecx
    00026E85  41                inc ecx
    00026E86  41                inc ecx
    00026E87  41                inc ecx
    00026E88  41                inc ecx
    00026E89  41                inc ecx
    00026E8A  41                inc ecx
    00026E8B  41                inc ecx
    00026E8C  41                inc ecx
    00026E8D  41                inc ecx
    00026E8E  41                inc ecx
    00026E8F  41                inc ecx
    00026E90  41                inc ecx
    00026E91  41                inc ecx
    00026E92  41                inc ecx
    00026E93  41                inc ecx
    00026E94  41                inc ecx
    00026E95  41                inc ecx
    00026E96  41                inc ecx
    00026E97  41                inc ecx
    00026E98  41                inc ecx
    00026E99  41                inc ecx
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 383,488 bytes but its declared streams total only 144,235 bytes — 239,253 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).