Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a09932d4486d71e8…

MALICIOUS

Office (OLE)

142.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: afb83386d8ac25a2333bed3c48b68cec SHA-1: 59ec4d8393955a5d0ff77baf74299be1bb0c3575 SHA-256: a09932d4486d71e8adb37ffdc007b6dd95c93371703e1e12ff5cbd206aa93d21
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1059 Command and Scripting Interpreter

The file is a Microsoft Word document exhibiting an OLE slack anomaly and contains XOR-encoded strings, indicating obfuscation likely used to hide malicious content. The presence of these indicators strongly suggests an attempt to exploit a vulnerability within the document itself to achieve arbitrary code execution. No specific malware family could be identified.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessA', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 145,408 bytes but its declared streams total only 16,486 bytes — 128,922 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.