Office (OLE) / .TXT malware analysis — malicious · cb8a8683811a88fd

MALICIOUS

Office (OLE) / .TXT

98.6 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 553e9f58f7616c86a1c2fb6972d2219d SHA-1: 22c16841f4487ebe105e9ac2d8f0b13a78785913 SHA-256: cb8a8683811a88fd98156840c06aacef8961a87e604a8478d76f452e5e8ffc21

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is identified as malicious due to critical heuristic firings indicating XOR-encoded strings and a significant slack space anomaly within the OLE structure. These techniques are commonly used to obfuscate malicious content. No specific family could be identified, and no URLs or scripts were extracted to further detail the attack. The presence of obfuscation suggests the file is likely a downloader or dropper.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 100,946 bytes but its declared streams total only 16,543 bytes — 84,403 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.