Office (OLE) / .DOC malware analysis — malicious · 87204a808fc1bdc5

MALICIOUS

Office (OLE) / .DOC

158.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 9fdb7da6e75d07b6b666d35054a14ec5 SHA-1: 7cc99a866170bb233d33e8a939f8e8e1a1e48619 SHA-256: 87204a808fc1bdc507b803d452afbf8783ab9e4ec7db1bc04cfdf5fdbf068707

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution

The document is a Microsoft Word file exhibiting a high-risk OLE slack anomaly, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic further suggests the possibility of shellcode execution. While no specific exploit or payload is directly identified, these indicators point towards a document designed to exploit a vulnerability upon opening.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 162,305 bytes but its declared streams total only 16,536 bytes — 145,769 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.