Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2824e408f3840014…

MALICIOUS

Office (OLE) / .DOC

1.37 MB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: d6763849bd952c1bf571bd72dd88cb38 SHA-1: ca7852cc22c656c65c46fdb8e1a568b96e645aa1 SHA-256: 2824e408f3840014ea1df311235082ed4f461fce9bd0da755b86cb816f5848aa
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically the presence of XOR-encoded strings and a significant amount of slack space within the OLE structure. These techniques are commonly used to obfuscate malicious payloads. No document body text or scripts were extracted, limiting the ability to determine the exact nature of the payload or delivery mechanism.

Heuristics 2

  • XOR-encoded strings (key 0x25) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x25: 'advapi32.dll', 'wininet.dll', 'shell32.dll', 'LoadLibraryA', 'GetProcAddress'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,440,768 bytes but its declared streams total only 16,486 bytes — 1,424,282 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.