Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 a36c536c10f2d964…

MALICIOUS

Office (OLE) / .DOC

103.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 1047cf4819bef0b4519646ff5de453eb SHA-1: cc70b99197dd67fd25bd9a68b0b07d12d5be0b40 SHA-256: a36c536c10f2d964bd35cef332fc6da35517e2951ae008619a598fe4c10ec8a6
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is a malicious OLE document exhibiting significant slack space, a common evasion technique. The SC_XOR_ENCODED heuristic indicates that strings within the document are obfuscated using XOR with a key of 0xFC. While no specific payload or delivery mechanism is directly evident from the limited DOC BODY, these indicators strongly suggest a malicious intent, likely to conceal malicious code or commands.

Heuristics 2

  • XOR-encoded strings (key 0xFC) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xFC: 'LoadLibraryA', 'GetProcAddress', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 105,984 bytes but its declared streams total only 16,486 bytes — 89,498 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.