Office (OLE) / .DOC malware analysis — malicious · d588287fed3f010f

MALICIOUS

Office (OLE) / .DOC

104.2 KB Created: 2005-06-29 18:14:00 Authoring application: Microsoft Word 10.0

MD5: 4be9fb6aaa2a7f7f76fbcba4ff0e4a80 SHA-1: 72deeab25f207ebc1bbdfbe91779aec70bdc469c SHA-256: d588287fed3f010fdde0498165e90b71356ca21b8108864171666c5e7976b767

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The file is a malicious OLE document exhibiting a large slack space anomaly, suggesting hidden or obfuscated content. The presence of XOR-encoded strings and an embedded URL points towards a downloader mechanism. Although VBA macros could not be extracted due to an unsupported format, the heuristics indicate an attempt to execute code, likely to fetch and run a secondary payload.

Heuristics 3

XOR-encoded strings (key 0xAC) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xAC: 'shell32.dll', 'LoadLibraryA', 'LoadLibraryA', 'VirtualAlloc', 'CreateProcessA', 'ExitProcess', 'CreateFileA', 'ShellExecuteA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 106,725 bytes but its declared streams total only 20,632 bytes — 86,093 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.