Malicious Office (OLE) — malware analysis report

Heuristics 3

• XOR-encoded strings (key 0xA4) critical SC_XOR_ENCODED
  Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xA4: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  Disassembly hidden — these bytes score as data, not coherent x86 code (0/1 branch targets land on an instruction boundary (0% coherence)).
• OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
  OLE file is 71,906 bytes but its declared streams total only 17,567 bytes — 54,339 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
• OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
  OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Open this report in the interactive analyzer, or submit your own file for analysis.