Office (OLE) / .DOC malware analysis — malicious · eb397fd5a272f6f4

MALICIOUS

Office (OLE) / .DOC

122.4 KB

MD5: 1ad3c02b3bc866aeb99505eb314b8016 SHA-1: c8370985cc5301763464b946b9c26a912d1ff4cc SHA-256: eb397fd5a272f6f46fa5c8693a6dd921d0600701f126e1da739d71df297fd22c

100 Risk Score

Malware Insights

The OLE document exhibits a large slack space anomaly and contains embedded objects, which are common characteristics of malicious documents used to hide payloads. The presence of a NOP sled and a reference to VirtualAlloc API further indicate potential shellcode execution. No specific document body content or scripts were extracted to determine a more precise attack pattern or family.

Heuristics 3

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 125,309 bytes but its declared streams total only 31,351 bytes — 93,958 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.