Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7ef04e41bf4e1ac5…

MALICIOUS

Office (OLE) / .DOC

117.2 KB Created: 2006-08-16 17:20:00 Authoring application: Microsoft Office Word
MD5: 0e67c7ed1a4fa2fdcaf8b08696824a9e SHA-1: 350bb608b81e22be5c6837ac262ba76d4f6634d2 SHA-256: 7ef04e41bf4e1ac5877f680492b00c8808430903dd222c4133afa4ed6ba37ec3
140 Risk Score

Malware Insights

The sample exhibits characteristics of a malicious document, including a NOP sled and XOR-encoded strings, indicating an attempt to obfuscate malicious code. The large slack space in the OLE structure is also suspicious. While no specific family is identified, the presence of these indicators points towards an exploit delivery mechanism.

Heuristics 3

  • XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'advapi32.dll', 'shell32.dll', 'msvcrt.dll', 'msvcrt.dll', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 120,053 bytes but its declared streams total only 17,055 bytes — 102,998 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.