Malicious Office (OLE) / .RT — malware analysis report

Static analysis result for SHA-256 d1796ed43735f4f2…

MALICIOUS

Office (OLE) / .RT

114.0 KB Created: 2009-05-15 02:00:00 Authoring application: Microsoft Word 9.1
MD5: 51eea510aa9cb35a496eeca1fdd0a55c SHA-1: dc1ad6ccdd8c68baabba55e7a36599b364dc6b5a SHA-256: d1796ed43735f4f270a34b3d137e77ce43a3d6ba5378353d611dc11910d110fc
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, specifically XOR-encoded strings and a significant amount of slack space within the OLE structure. These are common techniques used to hide malicious payloads or evade detection. No specific family could be identified due to the lack of executable code or network indicators.

Heuristics 2

  • XOR-encoded strings (key 0xEF) critical SC_XOR_ENCODED
    Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xEF: 'LoadLibraryW', 'LoadLibraryExA', 'GetProcAddress', 'CreateProcessA', 'CreateProcessA', 'CreateProcessW', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 116,762 bytes but its declared streams total only 8,934 bytes — 107,828 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.