Office (OLE) malware analysis — malicious · 2b8dced13d010143

MALICIOUS

Office (OLE)

93.9 KB Created: 2005-06-29 18:14:00 Authoring application: Microsoft Word 10.0

MD5: c76f48160cb3f7212091513d969030b7 SHA-1: 2281a38d3e283469f326acb3518aaf48cc03ecba SHA-256: 2b8dced13d0101435459f8215f48cace5b063314025ab9d8ea98d9dfa1cb0009

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document with significant slack space, a common indicator of packed or obfuscated malware. The SC_XOR_ENCODED heuristic firing further supports the presence of obfuscation, likely to hide malicious code or data. The document body itself is heavily corrupted and unreadable, preventing a more specific analysis of its lure or purpose. Without readable content or scripts, the exact attack pattern and family remain uncertain, but the obfuscation strongly suggests an attempt to conceal a malicious payload.

Heuristics 2

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'iphlpapi.dll', 'LoadLibraryA', 'GetProcAddress'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 96,103 bytes but its declared streams total only 20,632 bytes — 75,471 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.