Office (OLE) / .DOC malware analysis — malicious · 225a68a0da470f75

MALICIOUS

Office (OLE) / .DOC

96.4 KB Created: 2008-02-27 00:21:00 Authoring application: Microsoft Office Word

MD5: df3d42fe3cee1f044280ad212b219302 SHA-1: 00673d665b638ac778942ac5fb3fa02fe5a362b3 SHA-256: 225a68a0da470f75933ef4fe7d7ba8a35edba1fc95aa82db28a20d7b8f5499ac

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits characteristics of a malicious Office document, including a high slack anomaly and XOR-encoded strings, suggesting obfuscated malicious content. The embedded URL, though benign, is noted. The primary heuristic indicates the presence of XOR-encoded strings, likely used to hide malicious code or commands. The document body contains what appears to be connection strings for OLE DB, potentially for data exfiltration or further exploitation. The overall structure and heuristics point towards a downloader or exploit delivery mechanism.

Heuristics 3

XOR-encoded strings (key 0xEF) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xEF: 'kernel32.dll'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 98,720 bytes but its declared streams total only 16,543 bytes — 82,177 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.