Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7c5cdb8d3429be23…

MALICIOUS

Office (OLE) / .DOC

118.1 KB
MD5: 6da5dd2f3e4c530455ecee9f4cbebd6f SHA-1: 9f00681a6ef7517ff27c5a97a38dd682e0800145 SHA-256: 7c5cdb8d3429be23f90f7e4aeadc0ff9735766d62fd9d1ec140ca78e2cf7a251
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The file is an OLE document with a significant slack anomaly, indicating potential obfuscation or embedded malicious content. A reference to the CreateProcess API was detected, along with XOR-encoded strings, suggesting the execution of external code. The document body contains references to embedded Excel and PowerPoint objects, which could be used to deliver further payloads.

Heuristics 3

  • XOR-encoded strings (key 0x88) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x88: 'wininet.dll', 'LoadLibraryA', 'GetProcAddress', 'CreateProcessA', 'CreateFileA', 'InternetOpenA', 'HttpOpenRequestA', 'HttpSendRequestA'
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 120,968 bytes but its declared streams total only 31,351 bytes — 89,617 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.