MALICIOUS
140
Risk Score
Malware Insights
The sample is an OLE document with a high percentage of slack space, indicating potential obfuscation. Heuristics indicate the presence of XOR-encoded strings and a GetPC stub, common techniques for hiding malicious code. While no specific document body or scripts were extracted, these indicators suggest the file is designed to execute arbitrary code, likely as a downloader or dropper.
Heuristics 3
-
XOR-encoded strings (key 0x63) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'CreateProcessA', 'ExitProcess�', 'CreateFileA�'
-
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALLx86 GetPC stub (CALL $+5; POP EAX)
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 197,633 bytes but its declared streams total only 20,639 bytes — 176,994 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.