Office (OLE) / .DOC malware analysis — malicious · 42015996847ece4b

MALICIOUS

Office (OLE) / .DOC

70.0 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word

MD5: 4acbb68b45698e0520702a04f7bf0ca2 SHA-1: d09fde849efe0b8bb8bfe5594f533cec620b1f5d SHA-256: 42015996847ece4ba1833cbb57b5834aeb0a4ec49740d74407643a059e578283

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Phishing:Spearphishing Attachment T1566.002 Phishing:Spearphishing Link

The file is a malicious OLE document with a significant amount of slack space, suggesting obfuscation or embedded malicious content. Although VBA macros could not be extracted, the presence of an embedded URL indicates a phishing or malware delivery attempt. The XOR-encoded strings further suggest malicious intent, likely to hide malicious code or URLs.

Heuristics 3

XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 71,680 bytes but its declared streams total only 20,635 bytes — 51,045 bytes (71%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.