MALICIOUS
100
Risk Score
Malware Insights
The sample is a malicious OLE document with a large amount of slack space, indicating hidden or obfuscated content. A critical heuristic identified XOR-encoded strings with a key of 0xC2, suggesting an attempt to hide malicious code. No document body content beyond a single word was extracted, and no scripts were found. The obfuscation techniques and lack of clear user-facing content point to a malicious document, likely a downloader or dropper, but the exact payload and delivery mechanism cannot be determined with high confidence.
Heuristics 2
-
XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 116,046 bytes but its declared streams total only 16,543 bytes — 99,503 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.