Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5a6240a632e4f7a8…

MALICIOUS

Office (OLE) / .DOC

267.5 KB
MD5: 911c65a2ffedb82e28f5e3d91dedd942 SHA-1: 8c3471da15324693abd4afcfde757bae2a9c2db7 SHA-256: 5a6240a632e4f7a838888027a9bd451176e6101c6395704e1e598d4b2087fc8b
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious OLE file containing obfuscated shellcode, indicated by XOR-encoded strings and PEB access heuristics. Although VBA macros could not be extracted due to an unsupported format, the presence of raw shellcode suggests an attempt to execute arbitrary code. The XOR key 0x58 is a key indicator of the obfuscation method used.

Heuristics 7

  • XOR-encoded strings (key 0x58) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x58: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualProtect', 'ExitProcess'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.