Office (OLE) malware analysis — malicious · 2ea385fba98444d1

MALICIOUS

Office (OLE)

1008.5 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: 3323899213f81bcc89975fd10a4b76d3 SHA-1: badd8b9a3bb76a2ec27efcdd757c5fba8e617e9a SHA-256: 2ea385fba98444d170b12649f303fe09531122943a8a68b6e9ba417435510f7b

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, including a NOP sled and XOR-encoded strings, indicating an attempt to hide malicious payloads. The large amount of slack space in the OLE structure further suggests the presence of hidden or obfuscated data. Without further script or body content, the exact execution flow and purpose remain unclear, but the indicators point towards an exploit delivery mechanism.

Heuristics 3

XOR-encoded strings (key 0x39) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x39: 'LoadLibraryW', 'LoadLibraryExA', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessW', 'CreateProcessW', 'RegOpenKeyExA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 1,032,708 bytes but its declared streams total only 18,081 bytes — 1,014,627 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.