MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
The sample is a Microsoft Word document exhibiting a high degree of slack space, indicative of potential obfuscation or embedded malicious content. A critical heuristic firing indicates XOR-encoded strings with a key of 0x95, suggesting an attempt to hide malicious code or commands. While no specific document body content or scripts were clearly extracted for analysis, the combination of the file type, the slack space anomaly, and the XOR encoding strongly suggests an exploit attempt within the document itself.
Heuristics 3
-
XOR-encoded strings (key 0x95) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 325,752 bytes but its declared streams total only 16,486 bytes — 309,266 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/tiff/1.0/
- http://ns.adobe.com/exif/1.0/
- http://ns.adobe.com/photoshop/1.0/
- http://www.iec.ch
Open this report in the interactive analyzer, or submit your own file for analysis.