Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c4ca2db09b3b7466…

MALICIOUS

Office (OLE) / .DOC

490.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 3fbd4e4be05205e649dad297f12b965f SHA-1: 02ba750063d365397868ce4ca255ff0374612a57 SHA-256: c4ca2db09b3b74667ea7113f6bba62d87b9e73df9802fb9318b918e3bb843c30
140 Risk Score

Malware Insights

The sample is a malicious OLE document exhibiting a large slack space anomaly and a NOP sled, indicative of an exploit. Heuristics also detected XOR-encoded strings, suggesting obfuscated malicious content. The primary attack vector appears to be code execution via a vulnerability within Microsoft Word, likely leveraging VBA macros, although no specific VBA code was extracted.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 502,272 bytes but its declared streams total only 16,486 bytes — 485,786 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.