Malicious Office (OLE) / .LOG — malware analysis report

Static analysis result for SHA-256 d5d85d1ef33c63bb…

MALICIOUS

Office (OLE) / .LOG

84.0 KB
MD5: 2fd2e4124cb2f2040aa14f5eac77bdc7 SHA-1: d0b117b49026aacd37155c6f1b8ce5385899d7d0 SHA-256: d5d85d1ef33c63bb4c0113c41a4ac89bd79bc43349b9aba42d6adbc3afe009ca
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The sample exhibits characteristics of a malicious document, including XOR-encoded strings and PEB access, suggesting an attempt to evade detection. The document body contains text related to application forms for various permits, which is a common lure for phishing attacks. The presence of XOR-encoded strings with key 0x97 indicates a deliberate obfuscation technique.

Heuristics 3

  • XOR-encoded strings (key 0x97) critical SC_XOR_ENCODED
    Found 6 Windows library/API name(s) XOR-encoded with single-byte key 0x97: 'kernel32.dll', 'shell32.dll', 'LoadLibraryA', 'GetProcAddress', 'RegOpenKeyExA', 'ShellExecuteA'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 86,016 bytes but its declared streams total only 21,308 bytes — 64,708 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.