Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 95bb1212d9bacc8e…

MALICIOUS

Office (OLE) / .DOC

91.8 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 0313a4cd7e20f389ca0c4c86b5aca6df SHA-1: 4d316ce2fa51dbcb1be28074a6c25a1a2be68f82 SHA-256: 95bb1212d9bacc8e526e4ff660dd61ee1127b9c32d5bc96872fa18d6a2978394
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The sample is a malicious Microsoft Word document. Static analysis revealed XOR-encoded strings and a significant amount of slack space within the OLE structure, indicating potential obfuscation or embedded malicious content. The document body is heavily corrupted, preventing a clear understanding of its lure, but the heuristics strongly suggest an exploit attempt. No scripts were extracted, limiting further analysis of the execution chain.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'InternetOpenA', 'InternetOpenUrlA', 'HttpOpenRequestA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 93,960 bytes but its declared streams total only 16,486 bytes — 77,474 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.