Office (OLE) / .DOC malware analysis — malicious · a330f881ac9e12bf

MALICIOUS

Office (OLE) / .DOC

125.0 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 83268c9a0f43f04c5abff31fdd2cd112 SHA-1: b767a6d71d1364d73167adef43df1e60c5d797db SHA-256: a330f881ac9e12bf22591c165d131099a5174300e551fd3991dba9c5059fda12

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File

The file is a Microsoft Word document exhibiting a significant amount of slack space, which is often used to hide malicious content. The 'GetPC stub' heuristic firing further suggests the presence of executable code within the document. Without a document body or scripts, the exact malicious intent cannot be determined, but the structure is indicative of a malicious container.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 128,001 bytes but its declared streams total only 16,536 bytes — 111,465 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.