Office (OLE) / .DOC malware analysis — malicious · cd10ff9cfd570459

MALICIOUS

Office (OLE) / .DOC

110.2 KB Created: 2005-06-29 18:14:00 Authoring application: Microsoft Word 10.0

MD5: 40b136aa58af575c75675110f867d3a5 SHA-1: 1975985accee5281caafb8762e97642001162edd SHA-256: cd10ff9cfd5704596bcaef05633440e1839423cbd07be711c6b81d1dfb012bad

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is a malicious OLE document with a significant amount of slack space, suggesting obfuscation or embedded malicious content. The heuristic firings indicate XOR-encoded strings and an embedded URL, pointing towards a downloader or droppper functionality. Although VBA macros could not be extracted due to an unsupported format, the presence of an embedded URL and encoded strings strongly suggests an attempt to deliver a secondary payload.

Heuristics 3

XOR-encoded strings (key 0xAC) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xAC: 'shell32.dll', 'LoadLibraryA', 'LoadLibraryA', 'VirtualAlloc', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'ShellExecuteA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 112,869 bytes but its declared streams total only 20,632 bytes — 92,237 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.