Office (OLE) / .DOC malware analysis — malicious · c63612b73cc40314

MALICIOUS

Office (OLE) / .DOC

228.6 KB

MD5: 7a5de407b75c33e4f8c9f513e6f677bf SHA-1: 2d804c069c70bb5362775ab692bde7ac735d28d9 SHA-256: c63612b73cc4031464d01a4e0ac2843c26945b9660678f93bbb61f4918301798

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample exhibits multiple high and critical heuristic firings, including NOP sleds, XOR-encoded strings, and OLE slack anomalies, strongly indicating malicious intent. The document body contains seemingly random strings and unusual formatting, further suggesting obfuscation. While no specific URLs or scripts were extracted, the combination of heuristics points to a downloader or dropper mechanism designed to execute further stages.

Heuristics 3

XOR-encoded strings (key 0xC6) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xC6: 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'wininet.dll', 'shell32.dll', 'KERNEL32.DLL', 'LoadLibraryA', 'LoadLibraryA'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 234,037 bytes but its declared streams total only 129,793 bytes — 104,244 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.