Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 3aa1b1bef86a5fb0…

MALICIOUS

Office (OLE) / .DOC

241.0 KB
MD5: 9bb741b27193c84372c4f1291b5f2e99 SHA-1: dc852c3c4235bc8b6d268dfd19c06f1edd805dd8 SHA-256: 3aa1b1bef86a5fb0aad2edd7b9a904153dfa1df6616521fcfe43fc4d446bbe3d
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is an OLE document with significant slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate PEB access and XOR-encoded strings, common in malware. The presence of embedded OLE objects like Excel and PowerPoint sheets further supports the idea of a malicious container. No specific family is identifiable from the provided evidence.

Heuristics 3

  • XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'LoadLibraryA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 246,788 bytes but its declared streams total only 60,708 bytes — 186,080 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.