Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 11d89d566a2a2444…

MALICIOUS

Office (OLE) / .DOC

100.0 KB Created: 2007-11-03 09:34:00 Authoring application: Microsoft Office Word
MD5: e6062e86a69f83c502fb66e7b65bb5f3 SHA-1: 2d23c369fe511d11cd11ac619acaa1b20b85cbfd SHA-256: 11d89d566a2a24448d965a10474f178d9823be0ab012a5edd612e23649ee5ced
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically the presence of XOR-encoded strings and a significant amount of slack space within the OLE structure. These anomalies indicate an attempt to hide or obfuscate malicious code or data within the file. No specific malware family could be identified, and no executable content or network indicators were directly extracted.

Heuristics 2

  • XOR-encoded strings (key 0x6D) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x6D: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 102,400 bytes but its declared streams total only 20,639 bytes — 81,761 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.