Office (OLE) / .DOC malware analysis — malicious · 256b2e66e5a77b35

MALICIOUS

Office (OLE) / .DOC

150.5 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.1

MD5: 00b8bd67c35fa4638e74c1dd1c127217 SHA-1: 10f5813cff2d323b652a24c2d8b6cd1354ff5904 SHA-256: 256b2e66e5a77b35cce847cb30bc89941e2f53d4bb0d3fdd8b32b508549d07c8

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample exhibits a critical heuristic firing for XOR-encoded strings, indicating obfuscation techniques are in use. Additionally, a high heuristic for OLE slack anomaly suggests the document structure is intentionally manipulated, likely to hide malicious content. The document body is heavily corrupted and unreadable, providing no direct clues about the intended lure. Without readable document content or extracted scripts, the exact attack pattern and payload delivery mechanism remain unclear, leading to a lower confidence score.

Heuristics 2

XOR-encoded strings (key 0x83) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x83: 'LoadLibraryW', 'LoadLibraryExA', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessW', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 154,138 bytes but its declared streams total only 8,934 bytes — 145,204 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.