Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 0e161947b1767450…

MALICIOUS

Office (OLE) / .DOC

218.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 0f99e8e6fd77ddb1813cd3c6275740f4 SHA-1: adee01cfdfb8934f1d5649800b5aa236e0187f8f SHA-256: 0e161947b17674501bde516e5974feed2304f8f8f41b1391f76d358619e5edbc
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file is identified as a malicious OLE document. Static analysis detected a significant amount of slack space (93%) and XOR-encoded strings with a key of 0x95, indicating an attempt to obfuscate malicious content. No specific payload or execution method was directly identified from the provided evidence.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 223,744 bytes but its declared streams total only 16,486 bytes — 207,258 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.