Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c95d8b3e511ef1ad…

MALICIOUS

Office (OLE) / .DOC

137.3 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: ae3d6b060a74510a33e0c262650a4211 SHA-1: 55336f7c3f228e5a90770424099167fb1ddca100 SHA-256: c95d8b3e511ef1ad9b4cd9035aaf4f9d99eec4546af0e58a9f780ee32ee0595b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits a critical heuristic for XOR-encoded strings, indicating obfuscation techniques are in use. Additionally, a high heuristic for OLE slack anomaly suggests the file structure is intentionally manipulated. These factors point towards a malicious document designed to hide its true functionality, likely involving the execution of a secondary payload.

Heuristics 2

  • XOR-encoded strings (key 0x5D) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0x5D: 'LoadLibraryA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 140,572 bytes but its declared streams total only 16,486 bytes — 124,086 bytes (88%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.