MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1027 Obfuscated Files or Information
T1055 Process Injection
The sample exhibits characteristics of malicious software, including XOR-encoded strings and PEB access, which are common obfuscation and evasion techniques. The OLE document structure with embedded objects and a large slack space anomaly further indicates potential malicious activity. Without further script or network indicators, the specific family and attack pattern remain unclear.
Heuristics 4
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
XOR-encoded strings (key 0x81) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'LoadLibraryA'
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 246,788 bytes but its declared streams total only 60,708 bytes — 186,080 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.