Office (OLE) / .DOC malware analysis — malicious · 359ec47c18e09724

MALICIOUS

Office (OLE) / .DOC

106.5 KB Created: 2005-05-10 00:02:00 Authoring application: Microsoft Word 10.0

MD5: e1d695e4e146e76cefad269d1fd1e6ce SHA-1: d4165bce1fd9e32cecb3ed1460bec5d22e645dbd SHA-256: 359ec47c18e09724c231dde4eb90d99dff784cb1cd0243ab9584b706b88c7442

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample exhibits characteristics of malicious obfuscation techniques, specifically XOR-encoded strings with a key of 0x92 and a significant amount of slack space within the OLE structure. While a benign URL was extracted, these indicators point towards a deliberately hidden payload. No scripts were extracted, limiting further analysis of the specific malicious functionality.

Heuristics 3

XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 109,056 bytes but its declared streams total only 12,812 bytes — 96,244 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.