Office (OLE) / .DOC malware analysis — malicious · 9259fedefcc74be3

MALICIOUS

Office (OLE) / .DOC

184.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 7b08f6279fa6439b09774bd8e2e7dae7 SHA-1: fd97b0172ba77763509f212a056173edd9966fdf SHA-256: 9259fedefcc74be34408b3220c8ddf28ed68f9507bc10ac319b7233b43dd4508

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample is a malicious OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub suggests the execution of shellcode. While no specific exploit or payload is directly identifiable from the provided heuristics and document body, the overall structure and heuristic firings point towards a classic exploit document designed to execute arbitrary code upon opening.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 188,929 bytes but its declared streams total only 16,536 bytes — 172,393 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.