Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cabb9554927b1fb…

MALICIOUS

Office (OLE)

587.0 KB Created: 2008-07-11 06:57:00 Authoring application: Microsoft Office Word First seen: 2012-06-30
MD5: e3b53753d6b12f241253666dc2c888f4 SHA-1: e052ed3fc6b8695479a895b797bbb2f66705cb3a SHA-256: 9cabb9554927b1fb19bb6ece15c03f6186797e4fb65f96849444b6cb5b4a5053
80 Risk Score

Heuristics 2

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 601,088 bytes but its declared streams total only 16,543 bytes — 584,545 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.