Office (OLE) / .DOC malware analysis — malicious · 0d49d5558e7bf810

MALICIOUS

Office (OLE) / .DOC

83.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 60d6179d54935bab599c37d912fa35d1 SHA-1: 5c9a1e5bbe5bf4d06e314944cb5b61f5d3f784a1 SHA-256: 0d49d5558e7bf810914f314c751b2b7e0d848e16f3264518257e5a6e7abd44ad

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is an OLE document with a large amount of slack space, indicating potential obfuscation or embedded content. A critical heuristic identified XOR-encoded strings with a key of 0xC2, suggesting the presence of hidden malicious code. The document body is minimal, providing no direct clues to the lure, but the overall structure and encoding point towards a malicious macro-based document.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 84,995 bytes but its declared streams total only 16,543 bytes — 68,452 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.