Office (OLE) / .DOC malware analysis — malicious · a09a2e3171bb8d95

MALICIOUS

Office (OLE) / .DOC

98.2 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 5063b3db2227bea3386a81743809c956 SHA-1: 3922332aa1abd982e516b79ac098580f29edfd48 SHA-256: a09a2e3171bb8d9560e299a429b9b3f926646ae4d4d473a5c4efef7bf3b19e00

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample exhibits an OLE slack space anomaly and contains XOR-encoded strings, indicating a malicious document designed to exploit vulnerabilities. The presence of these indicators suggests an attempt to download and execute a secondary payload, though the specific mechanism is obscured. The document body is heavily corrupted and does not provide further context.

Heuristics 2

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 100,608 bytes but its declared streams total only 16,486 bytes — 84,122 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.