Office (OLE) malware analysis — malicious · 9077116ecb39e045

MALICIOUS

Office (OLE)

70.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 6f241d3af26d94376b9a0e50defa3273 SHA-1: 2366b605354987f8de1156c7d146ddd76644a509 SHA-256: 9077116ecb39e045fd94b1b1caa471f20e29a5b75fdbec749e29449ba20d0249

80 Risk Score

Malware Insights

The OLE document exhibits a high degree of slack space, a common obfuscation technique. The presence of an x86 GetPC stub further indicates potential code execution or obfuscation. Without a document body or scripts, the exact malicious intent cannot be determined, but the heuristics suggest a packed or intentionally obscured malicious payload.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 72,193 bytes but its declared streams total only 16,536 bytes — 55,657 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.