Office (OLE) / .D malware analysis — malicious · d044f5540924ec8d

MALICIOUS

Office (OLE) / .D

111.0 KB

MD5: d901ddc87cfde52de404a41ec251e55e SHA-1: c34f14d1da23c4ca023f32b3f68e74a2ec76dd9f SHA-256: d044f5540924ec8d4a54c52c28d4e84cb5c98d87f2c203245ddbe2d768fc61e5

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Heuristics indicate the use of WinExec, LoadLibrary, and GetProcAddress APIs, along with XOR-encoded strings, suggesting the execution of a payload. The presence of embedded OLE objects (Excel, PowerPoint) further supports a malicious document lure.

Heuristics 5

XOR-encoded strings (key 0x03) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x03: 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA', 'WriteProcessMemory', 'ReadProcessMemory'
Reference to WinExec API high SC_STR_WINEXEC

Reference to WinExec API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 113,664 bytes but its declared streams total only 31,351 bytes — 82,313 bytes (72%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.