Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a992073180048aac…

MALICIOUS

Office (OLE)

212.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 7071c8ec9e8fb41730281de8565d206e SHA-1: f742c82769fb3e3e419fd76888f7848d32afd780 SHA-256: a992073180048aac565e1f11dcc7e2f42c27fbaefdfe483fcb592e27bf5c9c1d
140 Risk Score

Malware Insights

The sample is an OLE document exhibiting a large slack space anomaly and a NOP sled, indicative of shellcode. A critical heuristic detected XOR-encoded strings with key 0x95, suggesting obfuscated malicious content. While no specific exploit or payload could be definitively identified from the static analysis, the presence of these indicators strongly suggests an attempt to deliver and execute an exploit or payload.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 217,600 bytes but its declared streams total only 16,486 bytes — 201,114 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.