MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The file is an OLE document exhibiting characteristics of an appended payload and large slack space, indicative of a packed or obfuscated executable. The presence of heuristics related to CVE-2009-0556 suggests an attempt to exploit a client-side vulnerability for execution. The XOR-encoded strings further support the obfuscation of malicious content within the document.
Heuristics 4
-
PowerPoint OffArray-style record stub — CVE-2009-0556 related high PPT_CVE_2009_0556_RELATEDSmall embedded PowerPoint Document stream contains the sparse record set associated with OffArray-style exploit stubs and lacks normal text/placeholder atoms. This is CVE-2009-0556-family evidence, reported as related until the malformed OffArray field is validated directly.
-
XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODEDFound 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 197,120 bytes but its declared streams total only 15,628 bytes — 181,492 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOADOLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
Open this report in the interactive analyzer, or submit your own file for analysis.