Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c6886cc1dbbd39db…

MALICIOUS

Office (OLE) / .DOC

57.6 KB Created: 2006-08-28 13:40:00 Authoring application: Microsoft Word 9.0
MD5: 4f34691c7daebeee9914bc8ada5b233a SHA-1: 4e9f6da3e57d339489d395651cef343c408d429b SHA-256: c6886cc1dbbd39dba75e0aeb3b77eaddecee05212d056edcef22bf1abf91902a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits critical heuristic firings for XOR-encoded strings and high OLE slack anomalies, indicating a deliberate attempt to obfuscate its contents. The XOR key 0x92 was identified. The document body is heavily corrupted and does not provide further context on the intended lure or payload.

Heuristics 2

  • XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 58,944 bytes but its declared streams total only 23,704 bytes — 35,240 bytes (60%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.