Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 88f25d212f9497d9…

MALICIOUS

Office (OLE) / .DOC

59.1 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: 12ec974a6c5acc0fe35ec222f29ce8b8 SHA-1: cf4b9876fd1b7f45f098200a909c4cc293342a5e SHA-256: 88f25d212f9497d92131f7e5b10ca3566e0d20fece74460aedd07c192abc80cc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically the presence of XOR-encoded strings and a significant amount of slack space within the OLE structure. These are common techniques used to obfuscate malicious payloads. No document body or scripts were extracted, limiting further analysis of the specific payload or delivery mechanism.

Heuristics 2

  • XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 60,541 bytes but its declared streams total only 20,635 bytes — 39,906 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.