Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 740c729186943bf6…

MALICIOUS

Office (OLE)

477.1 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint First seen: 2012-06-30
MD5: 2c0a62caa3d45a3c6407fff84100f4a3 SHA-1: d01f72a89ecce46a55fd11b6f5aa328ace6aa4dc SHA-256: 740c729186943bf61b63ce0aacc86e2d5541d3f34ead14f368d7c53c786c3fc9
120 Risk Score

Heuristics 3

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'nop' is 100% of instructions — a sled or padding/filler run, not program logic).
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 488,528 bytes but its declared streams total only 18,081 bytes — 470,447 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.