Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9bb6d51e3e0bd455…

MALICIOUS

Office (OLE)

241.0 KB
MD5: e1f4582119f985ff9157ef5b2d754b52 SHA-1: 5c37fc863e623a589528092eca0cf6ad1117f6ae SHA-256: 9bb6d51e3e0bd4557d1221ede29daa0308999bfb5f4df5b141e0078fd76728ff
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate XOR-encoded strings and PEB access, common in malware. The document body contains references to embedded Excel and PowerPoint objects, suggesting a multi-stage attack or a malicious container designed to drop other files.

Heuristics 3

  • XOR-encoded strings (key 0x81) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x81: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'KERNEL32.DLL', 'LoadLibraryA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 246,788 bytes but its declared streams total only 60,708 bytes — 186,080 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.