Office (OLE) / .DOC malware analysis — malicious · c4c48154e2a786be

MALICIOUS

Office (OLE) / .DOC

382.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: ee87feaecf2d1b937913630cd78fa744 SHA-1: d4fa521aca234c7f96948ac353d210fe60ef7ad7 SHA-256: c4c48154e2a786be1b704b1fdd8df20ab9defb1fb65ca3a8970b18f579709d46

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059 Command and Scripting Interpreter

The sample is a malicious OLE document with significant slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the presence of a NOP sled, PEB access, and XOR-encoded strings, suggesting shellcode execution. The XOR key 0xFF was identified. No document body or scripts were extracted, limiting further analysis of the specific payload or delivery mechanism.

Heuristics 5

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'advapi32.dll', 'wininet.dll', 'shell32.dll', 'comctl32.dll', 'KERNEL32.DLL', 'version.dll', 'LoadLibraryA', 'GetProcAddress'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 391,152 bytes but its declared streams total only 61,092 bytes — 330,060 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.