Office (OLE) / .DOC malware analysis — malicious · 98224c4103e9a038

MALICIOUS

Office (OLE) / .DOC

67.0 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word

MD5: 763ef3c1ea877c4d80595165a2f5b00b SHA-1: 60db1cade9e7f8ce4557531c8bf402ef4ce271c6 SHA-256: 98224c4103e9a038b828c2c788e05a8b29a78391500f31cae8dcd639738f0da8

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document exhibiting a critical heuristic for XOR-encoded strings with a key of 0x63. Additionally, a high heuristic firing indicates a significant amount of slack space within the OLE structure, a common characteristic of packed or obfuscated malicious documents. While no specific payload delivery mechanism or network indicators were extracted, these findings strongly suggest the document is intentionally obfuscated to conceal malicious content.

Heuristics 2

XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED

Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 68,608 bytes but its declared streams total only 20,635 bytes — 47,973 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.