Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 20761b68441db1f6…

MALICIOUS

Office (OLE)

123.8 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: d7a02d34cd838dc9ef6a34239450f5d6 SHA-1: 9fde6c5d5c72d17a89d947c56917f3a9c424d782 SHA-256: 20761b68441db1f682e2b56a95803889cacc199eff78760b2200e745d754299d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or hidden data. The SC_XOR_ENCODED heuristic firing confirms the presence of XOR-encoded strings, a common technique to evade static analysis. No document body or scripts were extracted, limiting the ability to determine the exact payload or delivery mechanism.

Heuristics 2

  • XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 126,726 bytes but its declared streams total only 20,635 bytes — 106,091 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.