Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 044d649799a7618b…

MALICIOUS

Office (OLE) / .DOC

108.5 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.1
MD5: 4844f0472b6abea6ec8240bc4cfe542a SHA-1: ee57441181b230c35ddfeb0c98a848d7842b39fc SHA-256: 044d649799a7618bffbbe3cbfd61993f7a04ff3adfc78410624a48eb824b6cdc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically the presence of XOR-encoded strings and a significant amount of slack space within the OLE structure. These indicators suggest an attempt to conceal malicious code or data. No specific family could be identified due to the lack of executable scripts or network indicators.

Heuristics 2

  • XOR-encoded strings (key 0xBA) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xBA: 'LoadLibraryW', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessW'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 111,130 bytes but its declared streams total only 8,934 bytes — 102,196 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.