Office (OLE) / .DOC malware analysis — malicious · 23cdb3ec652b1821

MALICIOUS

Office (OLE) / .DOC

345.6 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 8340ea7a8b8291f1e5a8c234e0e61fb5 SHA-1: e25f6bd29aad6ed3a5abfcc041d3e075da4f77c5 SHA-256: 23cdb3ec652b18217e1d945e85a5a378b7e9fd5688e3cb36ae9912f5fc5a9ca5

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, including a NOP sled and XOR-encoded strings, suggesting an attempt to obfuscate malicious content. The large slack space in the OLE structure further points to potential embedded malicious components. The XOR key 0x84 was identified during analysis.

Heuristics 3

XOR-encoded strings (key 0x84) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x84: 'kernel32.dll'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 353,886 bytes but its declared streams total only 16,486 bytes — 337,400 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.