Office (OLE) / .DOC malware analysis — malicious · 10739f486a62569b

MALICIOUS

Office (OLE) / .DOC

61.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: ca47df3888404e397a31893471b132ce SHA-1: 765d04775b32728b9bb8c25582d0424f97d38b01 SHA-256: 10739f486a62569ba8347fa54780bb7d69445e1172aff19070ab3fc0fffb164c

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The sample contains a reference to the CreateProcess API, indicating an attempt to execute external code. Additionally, XOR-encoded strings were detected, suggesting obfuscation to hide malicious content. The large amount of slack space in the OLE structure is also suspicious. Without a document body or scripts, the exact nature of the payload is unclear, but the presence of CreateProcess points to a downloader or dropper.

Heuristics 3

XOR-encoded strings (key 0x88) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x88: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA'
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 63,015 bytes but its declared streams total only 21,151 bytes — 41,864 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.