Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2b7b3d4081e22be4…

MALICIOUS

Office (OLE) / .DOC

171.1 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 939127f1ae7a913224094eb01b110af0 SHA-1: 4af9bc5297b794ee8dc19714173e055ec1a4b016 SHA-256: 2b7b3d4081e22be4f6bc2f009058a8d1b97b2d48803e5ecb4e948ccb0839cd79
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file is a Microsoft Word document exhibiting OLE slack anomalies and XOR-encoded strings, indicating obfuscation typical of malicious documents. The presence of these heuristics suggests the document is designed to exploit a vulnerability, likely to download and execute a secondary payload. No specific family could be identified due to the lack of script content or clear indicators.

Heuristics 2

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 175,224 bytes but its declared streams total only 16,486 bytes — 158,738 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.