Office (OLE) / .DOC malware analysis — malicious · 690ed99c506f2cdd

MALICIOUS

Office (OLE) / .DOC

183.0 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: eea8ea7b939e4c812d34d0e5d199cc92 SHA-1: 338105fca1ac25995e5fd6503c68e8728d312c5c SHA-256: 690ed99c506f2cdd097e03ebbbdf87cd065cf47534addb78ae308fd0fcef85e0

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious OLE document that exhibits high heuristic firings for XOR-encoded strings and an unusual amount of slack space, indicating obfuscation and potential malicious content. The GetPC stub suggests an attempt to execute code, likely exploiting a vulnerability within Microsoft Word.

Heuristics 3

XOR-encoded strings (key 0x23) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x23: 'kernel32.dll', 'kernel32.dll', 'iphlpapi.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc'
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 187,376 bytes but its declared streams total only 16,536 bytes — 170,840 bytes (91%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.