Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 5b3647789e687726…

MALICIOUS

Office (OLE) / .DOC

74.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: a4f98a5fd08ae63caf1e8bcc86233d18 SHA-1: 1bcf35b1c82657b9c0c641d2656b45c42c441be0 SHA-256: 5b3647789e687726d9ca7fc80390bf9ba2bddab27013acb153c2d64ec3378db6
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a Microsoft Word document exhibiting an OLE slack anomaly and contains XOR-encoded strings, indicating potential obfuscation of malicious content. The critical heuristic firing suggests the presence of exploit code designed to execute arbitrary commands on the victim's machine.

Heuristics 2

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 75,776 bytes but its declared streams total only 16,486 bytes — 59,290 bytes (78%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.