Office (OLE) / .DOC malware analysis — malicious · 90b3821af624a259

MALICIOUS

Office (OLE) / .DOC

158.6 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: efda5824d9a8384fbe0b408821d6817a SHA-1: caf961860e920ebfdd5f72090e48a377c07f6ffb SHA-256: 90b3821af624a2592ea746c4bb7e21ed7f9cd5e298619fa190c2c9e2dbd010a3

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The sample is a Microsoft Word document exhibiting a critical heuristic for XOR-encoded strings and a high heuristic for an anomalous OLE slack region. The presence of XOR-encoded strings suggests obfuscation, commonly used to hide malicious code or download URLs. The large slack region is also indicative of a packed or obfuscated file. While no specific exploit or payload is directly identified, these indicators strongly suggest an attempt to exploit a vulnerability or deliver a secondary stage. The document body is heavily corrupted and unreadable, providing no further context.

Heuristics 2

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 162,424 bytes but its declared streams total only 16,486 bytes — 145,938 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.