Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d432445e3ad8867c…

MALICIOUS

Office (OLE) / .DOC

67.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word
MD5: bbf0c81611af879d684ef57c2e9bbebf SHA-1: 4c892962c6f5ee1292daf852c4d5e974fbb9e327 SHA-256: d432445e3ad8867c5cc3672e67a1cf31c5c9df3a5298bef807eb34bf5364a6aa
100 Risk Score

Malware Insights

The sample is an OLE document with a verdict of malicious. Heuristics indicate XOR-encoded strings and a large slack space anomaly, suggesting obfuscation and potentially hidden malicious content. The document body is minimal, providing no clear thematic lure. Without extracted scripts or further details on the encoded strings, the exact attack vector and payload remain unclear, leading to a lower confidence score.

Heuristics 2

  • XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 68,608 bytes but its declared streams total only 16,543 bytes — 52,065 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.