Office (OLE) malware analysis — malicious · 7c839c07de9e13f5

MALICIOUS

Office (OLE)

131.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 6126ad4486349b913c14da97099dfb86 SHA-1: aa471d07db8c2f672776482db2eb9448d82155bf SHA-256: 7c839c07de9e13f5b26058ad1de71362356573ead1bcebb8be0e54b2ec998ff5

80 Risk Score

Malware Insights

The OLE document exhibits a significant slack space anomaly, indicating it may be intentionally structured to hide malicious content. The presence of an x86 GetPC stub further suggests the potential for executable code. However, no specific malicious behavior or payload could be confirmed from the available heuristics and document body.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 134,657 bytes but its declared streams total only 16,536 bytes — 118,121 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.