Office (OLE) / .DOC malware analysis — malicious · 149a86568f475cf4

MALICIOUS

Office (OLE) / .DOC

388.1 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 3b4aea5eb40d32964ec0c4e77f18dd73 SHA-1: 6565fd879cf39a0eda06cc3203cf6b1f65f85b3c SHA-256: 149a86568f475cf44ca9d00354ec8f89202fce6cef3a7184a7f44dc608365c3d

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document exhibiting several high-risk heuristics. The presence of a NOP sled and XOR-encoded strings suggests an attempt to obfuscate and execute shellcode. The large amount of slack space in the OLE structure is also indicative of a packed or obfuscated payload, likely intended to exploit a client execution vulnerability.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 397,385 bytes but its declared streams total only 16,486 bytes — 380,899 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.