Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 cb86eaceb932daf7…

MALICIOUS

Office (OLE) / .DOC

91.0 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 3fb89b612869c151d6689e96a0d3cce0 SHA-1: 61c180749479e7896816e4886885b011e4247bd3 SHA-256: cb86eaceb932daf7c281f88759d59d4b4f669f7e5308efa5bd0848d33149bc24
140 Risk Score

Malware Insights

The sample is a malicious OLE document containing a NOP sled and XOR-encoded strings, indicating obfuscated malicious content. The large slack space in the OLE structure further suggests the presence of hidden or packed data. While no specific VBA scripts were extracted, the heuristics strongly suggest the document is designed to execute malicious code, likely through embedded macros, to achieve its malicious objective.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress', 'RegOpenKeyExA'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 93,181 bytes but its declared streams total only 16,486 bytes — 76,695 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.