Office (OLE) / .DOC malware analysis — malicious · 28f5e0a4d3ddead0

MALICIOUS

Office (OLE) / .DOC

82.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 450b5acf7a00049e2126436f52e31291 SHA-1: a1f107eca52f79c11d1e1790e71ed62bdccfa055 SHA-256: 28f5e0a4d3ddead002d13e527c9ebd81ad2de309967471d2d61c3cab1f191428

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The file is identified as malicious due to a critical heuristic firing for XOR-encoded strings, indicating obfuscation. Additionally, an OLE slack space anomaly suggests the document may contain hidden or packed malicious content. The minimal document body text ('Mary') provides no clear lure, making the exact attack pattern uncertain but likely a generic delivery mechanism.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 83,974 bytes but its declared streams total only 16,543 bytes — 67,431 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.