Office (OLE) / .DOC malware analysis — malicious · 7170fbd989ec3c29

MALICIOUS

Office (OLE) / .DOC

174.0 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: c7bad6136102e142388dfd29720150b4 SHA-1: 34a6063c9002dbed4a4ae2d1c257f36551983a4f SHA-256: 7170fbd989ec3c2997119cf6737bfef345130ed7afa942099656eaef8e5a6ad1

80 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document that exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic firing suggests the exploitation of a client-side vulnerability, likely for arbitrary code execution. No document body or scripts were extracted, limiting further analysis of the specific payload or lure.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 178,177 bytes but its declared streams total only 16,536 bytes — 161,641 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.