Office (OLE) / .DOC malware analysis — malicious · ab4be8b37f8369aa

MALICIOUS

Office (OLE) / .DOC

116.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 4a06e6fc6098a5cbfb03d68c35695a2a SHA-1: 0896f38bc0bfda466b3c0af7524d0c88689014ae SHA-256: ab4be8b37f8369aaeda4d91707d100bd5de67f07286e473e053c3f74270af510

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The document is a Microsoft Word file exhibiting a high-severity OLE slack anomaly, indicating a potentially packed or obfuscated payload. A high-severity heuristic also fired for an x86 GetPC stub, commonly used in shellcode to locate its own position in memory. These indicators suggest the document is designed to exploit a vulnerability and execute arbitrary code, though no specific exploit or family can be confidently identified.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,297 bytes but its declared streams total only 16,536 bytes — 102,761 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.