Office (OLE) malware analysis — malicious · 75d053623d99db35

MALICIOUS

Office (OLE)

79.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 5a6795a373c97807131a47be83f66910 SHA-1: 53a3bc9241bd78e5b8591ffcfbb9734d508b909a SHA-256: 75d053623d99db359e920cd4eb3b01325ba39df29e8ee40c1a2cc81b19f4a447

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious Office document, including a detected NOP sled and XOR-encoded strings, indicating an attempt to obfuscate malicious content. The large slack space in the OLE structure further suggests the presence of hidden or packed data. These indicators point towards an exploit designed to execute arbitrary code, likely for further payload delivery.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'kernel32.dll', 'kernel32.dll', 'iphlpapi.dll', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessW', 'RegOpenKeyExW'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 81,408 bytes but its declared streams total only 16,486 bytes — 64,922 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.