Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a7aab09e06f529e8…

MALICIOUS

Office (OLE)

422.0 KB
MD5: 7b8d5a60d34db1c123ff5aa343705e1d SHA-1: 85e33e124901e8de6a165cf0ffac78ab91bb4607 SHA-256: a7aab09e06f529e8d5074cd324fa68a5687571f94f0aac819c0ba46125d33b62
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file exhibits characteristics of a malicious OLE document, including a significant amount of slack space (70%) and the presence of XOR-encoded strings with a key of 0xFF. These techniques are commonly used to evade static analysis and hide malicious content. No specific family could be identified due to the lack of further indicators.

Heuristics 3

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 432,134 bytes but its declared streams total only 129,793 bytes — 302,341 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.