Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a974d1e106dcd000…

MALICIOUS

Office (OLE)

126.1 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word
MD5: ee94409b1113e645dd237e460b9d29e4 SHA-1: 9ffa2ad710c2c57fc0bb244a03a25c911de9c0a7 SHA-256: a974d1e106dcd000e3f7a9f910369d224e0cdc97ab57cace80f130de60f70a50
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation. A critical heuristic firing identified XOR-encoded strings with a key of 0xC2, further supporting the presence of hidden malicious content. No document body or scripts were available for further analysis, limiting the ability to determine the exact payload or delivery mechanism.

Heuristics 2

  • XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 129,092 bytes but its declared streams total only 16,543 bytes — 112,549 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.