MALICIOUS
140
Risk Score
Malware Insights
The sample is a Microsoft Word document exhibiting several high-severity heuristic firings, including a NOP sled and XOR-encoded strings, indicative of shellcode. The large amount of slack space in the OLE structure further suggests obfuscation or embedded malicious content. While no specific exploit or payload could be identified from the static analysis, the presence of these indicators strongly suggests an attempt to exploit a vulnerability within the document itself.
Heuristics 3
-
XOR-encoded strings (key 0x95) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 402,432 bytes but its declared streams total only 16,486 bytes — 385,946 bytes (96%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.