Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6906621790eca0f6…

MALICIOUS

Office (OLE) / .DOC

157.0 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: 9826b3cd3e273ff9892ba65eb03212ed SHA-1: db6e09e6cebd7aa68f37c5e27665c89403004e55 SHA-256: 6906621790eca0f69897dd5b13e2ed6071406d673f442354f951f15a64cd4c24
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically XOR-encoded strings and a significant amount of slack space within the OLE structure. These are common techniques used to hide malicious payloads or obfuscate the true nature of the file. No specific malware family could be identified, and no executable content or network indicators were directly extracted.

Heuristics 2

  • XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 160,768 bytes but its declared streams total only 20,635 bytes — 140,133 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.