Office (OLE) / .DOC malware analysis — malicious · ca7f02cb3d892504

MALICIOUS

Office (OLE) / .DOC

112.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 1d8c94772dec3a991acbe4bcaa159cd3 SHA-1: 252db5b27c738a7fdbfaa5cd38381043ffe203fb SHA-256: ca7f02cb3d892504322204512518637bbb9aaf75403a5757d6132a457faec828

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution

The document is a malicious OLE file that exhibits a high degree of slack space, indicating potential obfuscation or embedded malicious content. The presence of an x86 GetPC stub suggests the exploitation of a vulnerability within Microsoft Word to achieve arbitrary code execution. No specific malware family could be identified.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 115,201 bytes but its declared streams total only 16,536 bytes — 98,665 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.