Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6695eb16adc85738…

MALICIOUS

Office (OLE)

171.0 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: 98936afadea72b61e1640d2cab1cb731 SHA-1: 2954192c51988f2189e34faef37bbaaa283c1f7f SHA-256: 6695eb16adc85738a5803773cb30a344914a4bb10c435660d25052c62867aed8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically the presence of XOR-encoded strings and a significant amount of slack space within the OLE structure. These indicators suggest an attempt to hide or obfuscate malicious code or data within the file. Without further analysis of the decoded strings or the purpose of the slack space, the exact functionality remains unclear, leading to a moderate confidence level.

Heuristics 2

  • XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 175,104 bytes but its declared streams total only 20,635 bytes — 154,469 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.