Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a9e056f26a3f5ca…

MALICIOUS

Office (OLE)

120.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word
MD5: 425da616a2b19e1b7a3addb94b0ca479 SHA-1: 9bcfbed304fe7905da3c36c75a773261f57db3cd SHA-256: 4a9e056f26a3f5caa36a41c67f9ca5d82d247afe05ffbe9c7b093f1d533e6de8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file is identified as malicious due to the presence of XOR-encoded strings and a significant amount of slack space within the OLE structure. These indicators suggest an attempt to obfuscate malicious content. The exact nature of the payload is not discernible from the provided heuristics and document body.

Heuristics 2

  • XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 122,913 bytes but its declared streams total only 16,543 bytes — 106,370 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.