Office (OLE) / .DOC malware analysis — malicious · b843cdae28f89c72

MALICIOUS

Office (OLE) / .DOC

71.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: a6e2e55d07eee8c80165c9467ccb01a8 SHA-1: 196d5da30d673227b16ef5d4ca76d9f28b7455ca SHA-256: b843cdae28f89c72402d6fac33497a5354bf0610d66cd241b6483dc290a507dd

100 Risk Score

Malware Insights

The sample is an OLE document with a very small document body, indicating it relies on macros for its malicious functionality. Heuristics indicate XOR-encoded strings and a large amount of slack space, suggesting obfuscation and potentially embedded malicious code. The lack of a document body and the presence of obfuscation techniques point towards a macro-based downloader or dropper.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 72,708 bytes but its declared streams total only 16,543 bytes — 56,165 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.