Office (OLE) / .DOC malware analysis — malicious · d6a6bcc8c21144fc

MALICIOUS

Office (OLE) / .DOC

115.9 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.1

MD5: f67868666f922bf6eb1228657a55c23b SHA-1: 48cc3956dff20b7c6b53e9f5f43a89580d477302 SHA-256: d6a6bcc8c21144fcefb31b5a8d068b474d8b0e8b96e72b9614ae3fe27fcff371

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a malicious OLE document with significant slack space, indicating potential obfuscation. A heuristic firing for 'x86 GetPC stub' suggests the presence of shellcode. While no specific document body content or scripts were clearly extracted, the overall structure and heuristic firings point towards a malicious payload delivery mechanism.

Heuristics 2

x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 118,655 bytes but its declared streams total only 8,934 bytes — 109,721 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.