Office (OLE) / .DOC malware analysis — malicious · 991cc036c9e85e2a

MALICIOUS

Office (OLE) / .DOC

108.0 KB Created: 2009-01-20 08:59:13 Authoring application: Microsoft Office Word

MD5: 7e760025d083a2a98ab7785fd86e6efb SHA-1: e6bfcb9722ece79dadb2ef81f102daf21694b1c8 SHA-256: 991cc036c9e85e2ae809bc548fd7fb30b76b8c1ff4b4e91c45385420fb7447c6

82 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1559.001 Component Object Model Hijacking

The OLE document exhibits a significant slack space anomaly and contains an EMF object within an EPRINT stream, indicating a potential exploit. VBA macro extraction failed due to an unsupported format, preventing further analysis of embedded scripts. The document body contains embedded object identifiers for PowerPoint and Excel, suggesting an attempt to leverage these applications.

Heuristics 3

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 110,592 bytes but its declared streams total only 34,365 bytes — 76,227 bytes (69%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.