Office (OLE) malware analysis — malicious · bd7a6a310abd537c

MALICIOUS

Office (OLE)

100.4 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.1

MD5: 52f77bea60e3f0434099fa2e0995d238 SHA-1: 64a34f283e40246d5a5e1708d95791d946204e5c SHA-256: bd7a6a310abd537c98574ef0dfcffb65420d4c2119111dac7e6bbdd6287a586b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1059 Command and Scripting Interpreter

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. The 'x86 GetPC stub' heuristic suggests the presence of shellcode, commonly used to exploit vulnerabilities. While no specific document body content or scripts were extracted, the combination of these factors points towards a malicious OLE document likely designed to exploit a vulnerability upon opening.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EDI)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 102,783 bytes but its declared streams total only 8,934 bytes — 93,849 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.