Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6b5ab1b77827ae9b…

MALICIOUS

Office (OLE) / .DOC

218.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 58c9dd9d827dd87aa238419dd84ddede SHA-1: 524e9f341d95f341a4d3ab0f77f199351bb5c956 SHA-256: 6b5ab1b77827ae9b0a74161c27027a2a7993a255fb4db62f63b5efa30fa2710e
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing embedded URLs that point to a suspicious domain. Heuristics indicate the presence of a NOP sled and XOR-encoded strings, suggesting an attempt to obfuscate malicious content or exploit code. The large amount of slack space in the OLE structure is also anomalous. The embedded URLs are the primary indicators of a potential phishing or redirection attempt.

Heuristics 4

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'ShellExecuteA'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 223,744 bytes but its declared streams total only 16,486 bytes — 207,258 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.5iantlavalamp.com/_
    • http://www.5iantlavalamp.com/

Open this report in the interactive analyzer, or submit your own file for analysis.