Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4b0de8269026bbd9…

MALICIOUS

Office (OLE) / .DOC

69.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: c928f42596173803f98d6298daf88706 SHA-1: bb8ae22763acc2dd9b50a0ab9d1640d621802b61 SHA-256: 4b0de8269026bbd9445b6f95385e4aa8c7602b6a149491fc826b69ce73d8c3f1
140 Risk Score

Malware Insights

The file is a malicious OLE document containing a NOP sled and XOR-encoded strings, indicating obfuscated malicious content. The document body suggests a lure to disguise the malicious nature of the file. While no specific exploit or payload is directly identified, the presence of these indicators strongly suggests an attempt to deliver malware.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'kernel32.dll', 'kernel32.dll', 'iphlpapi.dll', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessW', 'RegOpenKeyExW'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 70,656 bytes but its declared streams total only 16,486 bytes — 54,170 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.