Office (OLE) / .DOC malware analysis — malicious · ae21105a7e90211a

MALICIOUS

Office (OLE) / .DOC

110.5 KB

MD5: 735fc504301259569a4a5df18bcf3b1b SHA-1: 4f186c6f06fdf053e0a8fe40c6e73b0692020754 SHA-256: ae21105a7e90211a2fe751c5e7cc9f88b96885185599538d621b0144bbfd33d7

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is an OLE document with significant slack space, indicating it may be packed or contain hidden data. Heuristics indicate the presence of WinExec, LoadLibrary, and GetProcAddress APIs, along with XOR-encoded strings, suggesting dynamic code execution and obfuscation. While no specific document body content or scripts were extracted, these indicators point towards a downloader or dropper functionality.

Heuristics 5

XOR-encoded strings (key 0x03) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x03: 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA', 'WriteProcessMemory', 'ReadProcessMemory'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 113,152 bytes but its declared streams total only 31,351 bytes — 81,801 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.