MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1559.001 Component Object Model Hijacking
The file is identified as malicious and exhibits several high-severity heuristics, including XOR-encoded strings and an EMF object within an OLE stream. The document body suggests it's a test file, possibly designed to embed other Office documents (Excel, PowerPoint) and exploit OLE structures. The PEB access heuristic may indicate attempts to evade detection or manipulate process information.
Heuristics 4
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
XOR-encoded strings (key 0x81) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'LoadLibraryA'
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 250,884 bytes but its declared streams total only 60,708 bytes — 190,176 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.