Office (OLE) / .DOC malware analysis — malicious · 75cb297994a26b82

MALICIOUS

Office (OLE) / .DOC

216.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: dc441694c9042061dd0343cb0cbea895 SHA-1: 3098ab500c23635ce66ca9608123ca45b70e2ae7 SHA-256: 75cb297994a26b82e25ff7c6a9f33b216f3d176ee481f07adaec364bf6933866

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document that exhibits characteristics of an exploit. Heuristics indicate the presence of a NOP sled and XOR-encoded strings, suggesting shellcode execution. The large amount of slack space in the OLE structure is also indicative of obfuscation or embedded exploit code. No specific family could be identified.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 221,696 bytes but its declared streams total only 16,486 bytes — 205,210 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.