Office (OLE) / .DOC malware analysis — malicious · 86b318f2e22ca7a3

MALICIOUS

Office (OLE) / .DOC

248.4 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: fe438fa0809acc372fed6e89cb504ff6 SHA-1: ae148b90415af2f9468a2ab3c265af3ae253d1a5 SHA-256: 86b318f2e22ca7a3b31cbf64230cd3a80badd6800a74c9dc4955d0bf21594c78

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is identified as malicious by ClamAV as 'Xls.Dropper.Agent-7119708-0'. It exhibits critical heuristics for XOR-encoded strings and PEB access, indicating potential obfuscation and anti-analysis techniques. The OLE slack anomaly suggests the file may be packed or contain hidden data. While no scripts were extracted, the embedded objects and heuristics point towards a dropper functionality.

Heuristics 4

XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'LoadLibraryA', 'GetProcAddress'
ClamAV: Xls.Dropper.Agent-7119708-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-7119708-0
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 254,377 bytes but its declared streams total only 61,092 bytes — 193,285 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.