Office (OLE) malware analysis — malicious · 0b75345f287ebfd4

MALICIOUS

Office (OLE)

148.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 095155cc4d8b6bb9a01e2b56b6c20aa2 SHA-1: 782b67e83177e996a33f633c34ed6849e6b3322c SHA-256: 0b75345f287ebfd4b90ad0dfc8667f733bb0ca75f9b6d0e2cdf902377c824593

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is an OLE document with a significant amount of appended data, identified as an executable payload. Heuristics indicate XOR-encoded strings and a large slack space anomaly, suggesting obfuscation and attempts to hide malicious content. The presence of appended executable data strongly implies the document is a malicious dropper designed to execute a secondary payload.

Heuristics 3

XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 151,552 bytes but its declared streams total only 16,486 bytes — 135,066 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.