Office (OLE) / .DOC malware analysis — malicious · 841e9c28773d4fdc

MALICIOUS

Office (OLE) / .DOC

197.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: c0d7c750f2070bffa86a28dccca89d42 SHA-1: 32ddcccca70cf3efd09194810d0876e67ab0385b SHA-256: 841e9c28773d4fdc9d1a222fd4ceaaf3d0fc30c5a5acb1c96226611bba5862a6

102 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document exhibiting a critical heuristic for XOR-encoded strings and a high heuristic for an anomalous OLE structure, indicating potential obfuscation and malicious intent. The presence of an embedded URL, though marked as benign, suggests an attempt to interact with external resources. The document body is heavily corrupted, but the presence of '2.doc' and references to 'MS07-014' hint at a potential exploit targeting a Microsoft Office vulnerability.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 202,240 bytes but its declared streams total only 16,486 bytes — 185,754 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.seoul.intercontinental.com/intro.htm

Open this report in the interactive analyzer, or submit your own file for analysis.