Office (OLE) / .DOC malware analysis — malicious · a339ba101ff3f9b6

MALICIOUS

Office (OLE) / .DOC

62.5 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 5745f2145f409d56b54a33c50512b7e0 SHA-1: 6a30fdf2a25159c282072ecc02f3ffefca444829 SHA-256: a339ba101ff3f9b6cbe812952612e8a26a716abbbdf55c7cfeed47813b9ea3ba

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The file is identified as malicious due to a critical heuristic firing for XOR-encoded strings, indicating obfuscation techniques are in use. Additionally, a high heuristic for OLE slack anomaly suggests the document structure is unusual and potentially hides malicious components. The document body contains only the word 'Mary', providing no further context for the attack. No specific malware family is identifiable from the available evidence.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 64,000 bytes but its declared streams total only 16,543 bytes — 47,457 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.