MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is an OLE file with a large amount of slack space and appended payload bytes, indicating it likely contains and executes a secondary stage. The presence of a heuristic related to CVE-2009-0556 suggests exploitation of a known vulnerability for client execution. No specific family could be identified from the available evidence.
Heuristics 3
-
PowerPoint OffArray-style record stub — CVE-2009-0556 related high PPT_CVE_2009_0556_RELATEDSmall embedded PowerPoint Document stream contains the sparse record set associated with OffArray-style exploit stubs and lacks normal text/placeholder atoms. This is CVE-2009-0556-family evidence, reported as related until the malformed OffArray field is validated directly.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 105,552 bytes but its declared streams total only 15,628 bytes — 89,924 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Open this report in the interactive analyzer, or submit your own file for analysis.