Office (OLE) / .DOC malware analysis — malicious · c418705ca9074605

MALICIOUS

Office (OLE) / .DOC

861.1 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: dd917a7911937e3c6fe6a520211bc4af SHA-1: c66c8521d1f7b3c4be3de383cf184e5dffd4b8fb SHA-256: c418705ca907460523cdf1b7e8009b0afed304e1bd9db26fa9f6bd089f0cf193

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of NOP sleds, PEB access, API hash resolution, and XOR-encoded strings, all common techniques in malware. The document body contains references to embedded Excel and PowerPoint objects, suggesting a delivery mechanism that relies on the user interacting with these embedded files.

Heuristics 5

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'advapi32.dll', 'shell32.dll', 'shell32.dll', 'LoadLibraryA', 'LoadLibraryA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 881,722 bytes but its declared streams total only 61,092 bytes — 820,630 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.