Office (OLE) / .DOC malware analysis — malicious · 8a0d8c017f7de4fd

MALICIOUS

Office (OLE) / .DOC

343.0 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: e8031aa965b87f063ab2a364bfdc8630 SHA-1: 6c23e71d13b5e94df784e76bd10ad5216e56a4cf SHA-256: 8a0d8c017f7de4fdcb726bbd1bf7c70c3c9336b1b5a3f51f3cdc6c628d1cabce

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution

The sample is a malicious OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic firing suggests the use of shellcode. While no specific exploit or payload is directly identified, the combination of these factors strongly points to a document designed to exploit a vulnerability upon opening.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 351,233 bytes but its declared streams total only 16,536 bytes — 334,697 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.