Office (OLE) / .DOC malware analysis — malicious · 44ad6902bd4e5bc1

MALICIOUS

Office (OLE) / .DOC

3.72 MB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.

MD5: 85b70299e914bc644dc471a454079dab SHA-1: 35f1474cd4869a11267d62b55a66bc84b504e538 SHA-256: 44ad6902bd4e5bc14c2961f4accc8372760f9c7c80b1ecc5908bd96a86082003

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information

The sample exhibits high-confidence heuristic firings for WinExec, CreateProcess, and ShellExecute, indicating an attempt to run external code. The presence of XOR-encoded strings (key 0xCE) suggests obfuscation techniques are employed to hide malicious functionality. The extracted path 'c:\winmsio.exe' is likely the dropped payload. The large slack space in the OLE structure is also anomalous and may be used to hide malicious content.

Heuristics 5

XOR-encoded strings (key 0xCE) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xCE: 'ExitProcess', 'CreateFileA'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 3,900,424 bytes but its declared streams total only 16,486 bytes — 3,883,938 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.