MALICIOUS
140
Risk Score
Malware Insights
MITRE ATT&CK
T1027 Obfuscated Files or Information
The sample exhibits characteristics of a malicious document, including XOR-encoded strings and a significant amount of slack space within the OLE structure, which are common evasion techniques. While no specific payload or delivery mechanism is directly evident from the limited static analysis, these indicators strongly suggest an intent to conceal malicious activity. The GetPC stub further points to code intended for execution.
Heuristics 3
-
XOR-encoded strings (key 0x63) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'CreateProcessA', 'ExitProcess�', 'CreateFileA�'
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 83,969 bytes but its declared streams total only 20,639 bytes — 63,330 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.