Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 370869d67ce1fae0…

MALICIOUS

Office (OLE) / .DOC

99.0 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: 05beeb18570dcfd1f991a85cdafe11df SHA-1: 458282dc45fb7775f651c4e5f894c77d9fef7414 SHA-256: 370869d67ce1fae0567ea3a239168d1484ccd6876829061e75762c11bac9a064
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file exhibits characteristics of a malicious OLE document, including significant slack space anomalies and the presence of XOR-encoded strings. The encoding key is 0xA4. These techniques are commonly used to obfuscate malicious content within documents. Without a document body or scripts, the exact payload delivery mechanism cannot be determined, leading to a lower confidence in family attribution.

Heuristics 2

  • XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 101,376 bytes but its declared streams total only 20,635 bytes — 80,741 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.