Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 591cec63f536394b…

MALICIOUS

Office (OLE) / .DOC

156.5 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: 432243b23471f15e3ab224dc7e00c211 SHA-1: 3278fb55b5159eef3f40a8b89940683cf210b519 SHA-256: 591cec63f536394b5eb67a377558182b5ae08b809e031f3999767f85ac24b1e5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits a critical heuristic for XOR-encoded strings, suggesting an attempt to obfuscate malicious content. Additionally, a significant portion of the OLE document's space is unaccounted for, which can be used to hide embedded objects or code. Without further script or body content, the exact malicious intent cannot be determined, but the obfuscation techniques point towards a downloader or dropper.

Heuristics 2

  • XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 160,256 bytes but its declared streams total only 20,635 bytes — 139,621 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.