Office (OLE) / .DOC malware analysis — malicious · 08e772acea255137

MALICIOUS

Office (OLE) / .DOC

327.1 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: dc229e16b2683ea9f8d5a584a6152945 SHA-1: 550edc54e4be1a9513065b2442d4f840c7e551ab SHA-256: 08e772acea255137932748e1589a3d8d5d4942e771b7a1cfdcfd71c9264b8003

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document exhibiting a large amount of slack space and a NOP sled, indicative of shellcode. The presence of XOR-encoded strings with a key of 0x95 further suggests obfuscated malicious content. These factors strongly point towards an exploit attempting to execute arbitrary code within the context of Microsoft Word.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessA', 'CreateProcessA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 334,932 bytes but its declared streams total only 16,486 bytes — 318,446 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.