Office (OLE) / .DOC malware analysis — malicious · 4c11b6bfd9e3196d

MALICIOUS

Office (OLE) / .DOC

105.5 KB Created: 2008-01-09 06:03:00 Authoring application: Microsoft Word 10.0

MD5: cd2d1fee070ecfd54b776c6c6abd4a7f SHA-1: 8dfc9ab5065f9c47a42e8bc3611b54340b564dee SHA-256: 4c11b6bfd9e3196d6e574bee16c72324680b2c9c9964f2954156543bca24b887

120 Risk Score

Malware Insights

The sample exhibits critical heuristic firings for XOR-encoded strings and a high anomaly in OLE slack space, suggesting obfuscated malicious content. The presence of a NOP-equivalent sled further supports this. While no specific document body content or scripts were clearly extracted, these indicators strongly suggest the document is designed to execute malicious code, likely a downloader for a second-stage payload, using the detected XOR encoding.

Heuristics 3

XOR-encoded strings (key 0x61) critical SC_XOR_ENCODED

Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x61: 'msvcrt.dll', 'msvcrt.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateFileW', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 108,032 bytes but its declared streams total only 16,536 bytes — 91,496 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x61 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.