Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 645f0b518ca260d5…

MALICIOUS

Office (OLE)

76.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: fcdb61ff86b7e022f17cbbbd40ac55ae SHA-1: 4193a8ba6be7d858ad76892c60b9bd489338d82a SHA-256: 645f0b518ca260d57f43181813ef664332efa618448b7a2dceffadc5c489f3bc
142 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample exhibits characteristics of a malicious Office document, including a NOP sled, XOR-encoded strings, and a large slack space anomaly, suggesting an attempt to hide malicious code. The presence of an embedded URL, although benign in this instance, combined with the exploitation heuristics, indicates a likely pattern of downloading and executing a secondary payload. No specific malware family could be confidently identified.

Heuristics 4

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 78,336 bytes but its declared streams total only 16,486 bytes — 61,850 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.