Office (OLE) malware analysis — malicious · c7c5c9646a111aa0

MALICIOUS

Office (OLE)

970.0 KB Created: 2009-05-21 02:07:35 Authoring application: Microsoft PowerPoint

MD5: a46de970c99d4d9c85e56d8fd8f437a7 SHA-1: dbb719de55f4247e6cb96c5d7c8ba687bd5b3451 SHA-256: c7c5c9646a111aa02f8a45c82269299c119a621191b512ee053c8c40c85406d2

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics detected a NOP sled and XOR-encoded strings with a key of 0xFB, suggesting an attempt to hide malicious code. The large slack space and encoding are common techniques for delivering exploits or downloading secondary payloads.

Heuristics 3

XOR-encoded strings (key 0xFB) critical SC_XOR_ENCODED

Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xFB: 'ADVAPI32.DLL'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 993,284 bytes but its declared streams total only 18,081 bytes — 975,203 bytes (98%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.