Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1bd98a0ec28356ec…

MALICIOUS

Office (OLE)

149.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: fedb9daa00dac1cd07cc30d4c5650c6e SHA-1: 4c162a4b3812c9357733d41833ad01bee5360b8d SHA-256: 1bd98a0ec28356ecbcc0115150f1f1787bda1de83c3be9566100a18111a81f29
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The presence of XOR-encoded strings and a NOP sled suggests that this document contains malicious code, likely an exploit. The embedded URLs point to domains that are likely used for hosting malicious content or phishing. The document body, though heavily obfuscated, contains text that could be interpreted as a lure. The heuristics indicate the presence of exploit-related structures within the OLE document.

Heuristics 4

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'iphlpapi.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryExA'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 152,576 bytes but its declared streams total only 16,486 bytes — 136,090 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dirtytalkingguide.com/
    • http://www.dirtytalk101.com/
    • http://www.DirtyTalk101.com

Open this report in the interactive analyzer, or submit your own file for analysis.