Office (OLE) malware analysis — malicious · a4636cc0a84706e7

MALICIOUS

Office (OLE)

43.2 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: e83fb54c546aa6980a4e9e30abd1565e SHA-1: 584c64cfc54cd080f1df88fa71f98df7cf1cc184 SHA-256: a4636cc0a84706e76b2a527982a3e0b9f4970d24dba36f1cc0b356cc1be9e78d

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub heuristic firing suggests an attempt to execute shellcode. While no specific exploit or payload is directly identifiable from the provided heuristics and document body, the combination points towards a malicious Office document likely leveraging an embedded exploit.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 44,286 bytes but its declared streams total only 16,536 bytes — 27,750 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.