Office (OLE) / .SS- malware analysis — malicious · d3e4b01b6bfe62d1

MALICIOUS

Office (OLE) / .SS-

111.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word

MD5: 3e7f838aa62cced3b6c689f9d73e49af SHA-1: 6db99bfc746a791418c098378fd5b5bc571c5b61 SHA-256: d3e4b01b6bfe62d136d5a495e2f871eb842db721e2c1ea1fcf41e1983607725a

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. A critical heuristic firing for XOR-encoded strings further supports this. The document body is minimal, suggesting the primary lure is not within the visible text. Without further script or URL evidence, the exact malicious behavior cannot be determined, but the obfuscation points towards a downloader or exploit delivery mechanism.

Heuristics 2

XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 113,680 bytes but its declared streams total only 16,543 bytes — 97,137 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.