Office (OLE) / .DOC malware analysis — malicious · 990971bf46465df9

MALICIOUS

Office (OLE) / .DOC

246.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: ee2ae54f8447b31aca34d09c9d7d0401 SHA-1: 31684a93a34af60b526969a5f6bff608bab5ca89 SHA-256: 990971bf46465df9dab67996c003f7871083fd5ae3a870c97a4519ac58b89f75

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The critical ClamAV detection of 'Win.Exploit.Shellcode-23' combined with the 'SC_NOP_SLED' and 'OLE_SLACK_ANOMALY' heuristics strongly indicates the presence of shellcode designed to exploit a vulnerability within the OLE document format. The large slack space suggests obfuscation or padding for the exploit. No specific family could be identified, but the pattern is consistent with a shellcode dropper.

Heuristics 3

ClamAV: Win.Exploit.Shellcode-23 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.Shellcode-23
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 252,416 bytes but its declared streams total only 16,486 bytes — 235,930 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.