Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 95578dff40884c5c…

MALICIOUS

Office (OLE)

58.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: adb8b5e3ce86ce220dae2b5ce94decd9 SHA-1: 8349b5b26b87a6c8861ced27ab98b5b8fa5bad74 SHA-256: 95578dff40884c5c1ba0a72b1479d7a3f515cc07dd4c17a0b0e6a547b5f40c64
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file exhibits characteristics of a malicious document, specifically XOR-encoded strings and a significant amount of slack space within the OLE structure. These are common techniques used to hide malicious payloads or evade detection. The document body is heavily truncated and contains mostly garbled characters, preventing a clear understanding of the social engineering pretext. Without further script analysis or clearer document content, the exact attack pattern and family remain uncertain.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'kernel32.dll', 'CreateProcessA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 59,392 bytes but its declared streams total only 16,486 bytes — 42,906 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.