Office (OLE) / .DOC malware analysis — malicious · 3ba4fd10a873fd93

MALICIOUS

Office (OLE) / .DOC

516.0 KB Created: 2007-12-19 02:15:00 Authoring application: Microsoft Word 10.0

MD5: 4ec3eda140600e046876f9816ea3ba13 SHA-1: 26f12629a8006b1876385dbb4b32ce0e8ffb932e SHA-256: 3ba4fd10a873fd933e9fa8b9582b384d8dfa2e9fbf80ecd4801a91c42e3a7001

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is a malicious Office document exhibiting significant slack space and XOR-encoded strings, indicating an attempt to obfuscate malicious content. The PEB access heuristic further suggests code execution or manipulation. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, but the obfuscation techniques point towards a downloader or exploit-laden document.

Heuristics 3

XOR-encoded strings (key 0x4D) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x4D: 'LoadLibraryA', 'LoadLibraryW', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'CreateProcessW', 'RegOpenKeyExW'
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 528,384 bytes but its declared streams total only 20,632 bytes — 507,752 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.