Office (OLE) / .DOC malware analysis — malicious · 4bab338aebacd760

MALICIOUS

Office (OLE) / .DOC

78.5 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word

MD5: f3f53150ec9ed995fd61c38839402750 SHA-1: 34e3d9d49b3113891071f9f69185cf393da1ec3c SHA-256: 4bab338aebacd760cf94edc3800a373cb71a51ea505305159c35917cbec69ca2

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits characteristics of a malicious document, including XOR-encoded strings and an embedded URL. The large slack space in the OLE structure is also suspicious. However, VBA macros could not be extracted, limiting the ability to determine the exact execution flow. The embedded URL is the primary IOC, but its specific destination is not detailed in the provided evidence.

Heuristics 3

XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 80,384 bytes but its declared streams total only 20,635 bytes — 59,749 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.