Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1824d83d6ba50dc7…

MALICIOUS

Office (OLE) / .DOC

1.37 MB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 5ea9b03c27139227b39c1dced79807f2 SHA-1: b0140266ca97d7eaecd908b81520f8ae1bee59ac SHA-256: 1824d83d6ba50dc75d3df3e976f0f6911088b5528b89f32b6b32c1ad7586fa7c
100 Risk Score

Malware Insights

The sample is an OLE document exhibiting a critical heuristic for XOR-encoded strings, suggesting obfuscated malicious code. The large slack space anomaly further indicates potential hidden content or packing. While no specific document body content or scripts were clearly extracted, the presence of XOR encoding strongly implies the execution of malicious code, likely a downloader or dropper.

Heuristics 2

  • XOR-encoded strings (key 0x25) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x25: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,440,768 bytes but its declared streams total only 16,486 bytes — 1,424,282 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.