Office (OLE) / .DOC malware analysis — malicious · a2e8c2df86ab1b98

MALICIOUS

Office (OLE) / .DOC

335.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: ca1bc1e39b320bb19b7aa0cf24e98175 SHA-1: 8c2e9be7569cb602ee2366fbe9b0d5ff19e6cd30 SHA-256: a2e8c2df86ab1b98cb4030b1a64a9107bad38e3792f051c6388aa1d846777e27

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The file is a malicious Microsoft Word document, as indicated by the ClamAV detection 'Doc.Dropper.Agent-1828512'. The high number of heuristic firings, particularly the OLE slack anomaly and the GetPC stub, suggest a packed or obfuscated malicious payload. The document body is unreadable, providing no further context on the lure.

Heuristics 3

ClamAV: Doc.Dropper.Agent-1828512 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1828512
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 343,553 bytes but its declared streams total only 16,536 bytes — 327,017 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.