Office (OLE) / .DOC malware analysis — malicious · 65d68e108f1b370c

MALICIOUS

Office (OLE) / .DOC

83.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 605f77d2389e97827ce7ac453d7027c7 SHA-1: d7d3217331415556bb47a9e37c12c8d38e45ddac SHA-256: 65d68e108f1b370c6bfa7f16585b88b7c6598b8569c03111c8d6ff9edc54a316

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-7084142-0. The OLE document structure shows a significant amount of slack space, which is often used to hide malicious content. While no document body or scripts were extracted, the combination of the ClamAV detection and the OLE slack anomaly strongly suggests the file is a dropper designed to exploit a client-side vulnerability and download a secondary payload.

Heuristics 2

ClamAV: Doc.Dropper.Agent-7084142-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7084142-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 84,992 bytes but its declared streams total only 16,486 bytes — 68,506 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.