MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1027 Obfuscated Files or Information
T1566.001 Spearphishing Attachment
The sample exhibits characteristics of a malicious Office document, including the presence of embedded objects and the use of XOR-encoded strings. The large slack space in the OLE structure and the embedded EMF object are also suspicious indicators. While the document body is in Chinese and appears to be test-related, the overall structure and encoding point towards a potential payload delivery mechanism, likely via spearphishing.
Heuristics 4
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
XOR-encoded strings (key 0x81) critical SC_XOR_ENCODEDFound 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'LoadLibraryA'
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 246,788 bytes but its declared streams total only 60,708 bytes — 186,080 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.