Office (OLE) malware analysis — malicious · b158a9f061169b1f

MALICIOUS

Office (OLE)

94.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 7bd6bdb85e80d3bbf64126c49c011a1c SHA-1: 301c35a36672902c1d0008286a1839e42a091be3 SHA-256: b158a9f061169b1f465d127989bc5c8243d9f3513be2dabf0a56df12187a16ed

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The file is identified as malicious due to a critical heuristic firing for XOR-encoded strings with a key of 0xC2. Additionally, a high severity heuristic indicates a large slack space anomaly within the OLE structure, suggesting potential obfuscation or packing of malicious code. The document body contains only the word 'Mary', providing no contextual clues for the attack pattern. No scripts were extracted from this sample.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 96,292 bytes but its declared streams total only 16,543 bytes — 79,749 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.