Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4cebafbdf66bf3d9…

MALICIOUS

Office (OLE) / .DOC

376.6 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 00fcfd35487def9011e1f5b03867028c SHA-1: 45621e384e39ebe9448dd88fb86056086ad60943 SHA-256: 4cebafbdf66bf3d978e12d27b6e73b30c6a68e5bfeb46f607a54299aa1e3a537
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file exhibits characteristics of a malicious document, including a significant amount of slack space within the OLE structure and the presence of XOR-encoded strings. These techniques are commonly used to hide malicious code or payloads. While no specific exploit or payload is directly identified, the obfuscation methods strongly indicate a malicious intent.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 385,630 bytes but its declared streams total only 16,486 bytes — 369,144 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.