Office (OLE) / .DOC malware analysis — malicious · 65f7c637ffb428e3

MALICIOUS

Office (OLE) / .DOC

63.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 7509c5a1d563f1c8c7c942c2891a832b SHA-1: d8b5bf96a54b0113524f56ab4575dd5f2057b331 SHA-256: 65f7c637ffb428e3c53a573727e944bc648758a9a7cd03ae2cf6227e9532efd4

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is an OLE document containing a VBA macro that references the CreateProcess API, indicating an attempt to execute a payload. The presence of XOR-encoded strings with key 0x12 suggests obfuscation of malicious content. The large slack space in the OLE structure is also a common characteristic of malicious documents.

Heuristics 5

XOR-encoded strings (key 0x12) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0x12: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'CreateFileA'
x86 GetPC stub (CALL $+5; POP EBX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EBX)
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,928 bytes but its declared streams total only 21,151 bytes — 43,777 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.