Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 64bea363657e8e4b…

MALICIOUS

Office (OLE)

108.5 KB Created: 2004-04-05 00:54:00 Authoring application: Microsoft Word 10.0
MD5: 3ad953c4c022c086f46024ffc4e283da SHA-1: 94f3f4effe7abb9d84f05154769acbc5af2d48bd SHA-256: 64bea363657e8e4b9fb744e57f6aefae4223237fa19514a7c63bc8254add4f66
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1027 Obfuscated Files or Information

The sample is an OLE document containing VBA macros. Heuristics indicate that these macros are XOR-encoded with a key of 0xCC, a common obfuscation technique. The large amount of slack space in the OLE structure also suggests potential for hidden or packed data. No network indicators or further execution details were extracted, limiting the ability to determine the full payload.

Heuristics 3

  • XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'LoadLibraryA', 'CreateProcessA', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 111,104 bytes but its declared streams total only 53,912 bytes — 57,192 bytes (51%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
2a758fcc03dd3cd254ef2047dfa75b30c478ff6a2f15e171b66b4521c04fa715		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 559 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.