Office (OLE) / .DOC malware analysis — malicious · c47763622142bb72

MALICIOUS

Office (OLE) / .DOC

305.5 KB Created: 2009-03-31 05:41:00 Authoring application: Microsoft Word 10.0

MD5: 46ed27c2cdc78b72ac215eda22f3b848 SHA-1: 829e5f765357d984803eea159d6b24e698c1337a SHA-256: c47763622142bb72bb0e110577782bb73b76792d056d3c3f73b3093985b5758d

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document with a high degree of slack space, indicating an attempt to conceal its true contents. Heuristic analysis detected XOR-encoded strings, a common obfuscation technique used to hide malicious code or configuration data. The GetPC stub is often used in shellcode to locate its own entry point. Without further analysis of the encoded strings or any embedded scripts, the exact payload and delivery mechanism remain unclear.

Heuristics 3

XOR-encoded strings (key 0x23) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x23: 'kernel32.dll', 'kernel32.dll', 'cabinet.dll', 'iphlpapi.dll', 'iphlpapi.dll', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA'
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 312,816 bytes but its declared streams total only 16,536 bytes — 296,280 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.