Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1e8af49994d4ce86…

MALICIOUS

Office (OLE) / .DOC

245.0 KB
MD5: c93fb770ba06cae87c77c0cd96fed95a SHA-1: 76bc3e0b07b6b85c4af59035753ba3ba1d9ca53b SHA-256: 1e8af49994d4ce86835b9bb237c2d9a7994c0c53eb9991f71ddebddaf9544ea5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is an OLE document with significant slack space, indicating an attempt to hide malicious code. Heuristics indicate PEB access and XOR-encoded strings, common in obfuscation techniques. The embedded objects and large slack space suggest a malicious document designed to deliver a payload, though the specific mechanism is not detailed.

Heuristics 3

  • XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'LoadLibraryA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 250,884 bytes but its declared streams total only 60,708 bytes — 190,176 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.