Office (OLE) / .DOC malware analysis — malicious · 551dfd80739bcbb7

MALICIOUS

Office (OLE) / .DOC

124.5 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0

MD5: 0c301441fed0c910e10449bb339df18e SHA-1: fe8d24c77360997dbdb9a2335bd11132a82e9977 SHA-256: 551dfd80739bcbb7623d0f746dc199cbd560ded29af0dc04095f47f45d51cbe4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious OLE document containing VBA macros. The SC_XOR_ENCODED heuristic indicates that strings within the macro are obfuscated using XOR with a key of 0xCC. The document body presents a narrative about alleged embezzlement within a Tibetan community organization, likely as a pretext for social engineering. The VBA macros are the primary mechanism for malicious activity, though their specific function is obscured by XOR encoding.

Heuristics 3

XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'CreateProcessA', 'CreateFileA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 127,488 bytes but its declared streams total only 53,912 bytes — 73,576 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `2a758fcc03dd3cd254ef2047dfa75b30c478ff6a2f15e171b66b4521c04fa715`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	559 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.