Office (OLE) / .DOC malware analysis — malicious · a84bb2c41c47df16

MALICIOUS

Office (OLE) / .DOC

380.5 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 944200f1fa8aeca79c671110fa0d415b SHA-1: 7a2b526d3ac1641f814100c42efaa3ee5ca53491 SHA-256: a84bb2c41c47df16dcfb9259f9dc9fdbc7ce104de1f197958d5dbe23f351e5ff

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample is a malicious OLE document with significant slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of a NOP sled, PEB access, and an API-hash resolver, suggesting shellcode execution. The XOR-encoded strings with a key of 0xFF are a strong indicator of malicious intent, likely used to hide payloads or API calls. The embedded objects further suggest a complex malicious structure.

Heuristics 5

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryExA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'ExitProcess', 'CreateFileA', 'OpenProcess', 'ShellExecuteA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 389,616 bytes but its declared streams total only 61,092 bytes — 328,524 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.