Office (OLE) / .DOC malware analysis — malicious · 3946bfe4b9a8aa14

MALICIOUS

Office (OLE) / .DOC

151.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 410ecf2edc02cc16debb493a6c034212 SHA-1: 3ce4bfa9b8da874bccf7a4e77fdd87fe2403123f SHA-256: 3946bfe4b9a8aa145f11c80d4f135acfd14179803a3aec188d1a99450930d8b0

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The file is a malicious OLE document containing embedded Excel and PowerPoint objects. Heuristics indicate the presence of PEB access and an API hash resolver, suggesting attempts to evade detection and resolve API calls dynamically. The XOR-encoded strings further point to obfuscation techniques. The large slack space in the OLE structure is also anomalous.

Heuristics 4

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 154,624 bytes but its declared streams total only 61,092 bytes — 93,532 bytes (60%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.