Office (OLE) malware analysis — malicious · 372466b2f13197d7

MALICIOUS

Office (OLE)

93.5 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 4bf3605a144288acd4881c8f0bac662f SHA-1: e647137ca92c269e36f4f00ecbde44e191626537 SHA-256: 372466b2f13197d71b70e8693aa9f927b3ddabe7c439f1fa489595e65c045424

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation. A critical heuristic firing for XOR-encoded strings (key 0xC2) further supports this, suggesting that malicious content is hidden within the document. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 95,756 bytes but its declared streams total only 16,543 bytes — 79,213 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.