Office (OLE) malware analysis — malicious · db653dac87ccf9a8

MALICIOUS

Office (OLE)

197.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 3b621fb8facf99051609bc60eaae35b1 SHA-1: d34c5fb0d7b5dbda7f2b38f38096e76057dee7e5 SHA-256: db653dac87ccf9a8681efb6fb305801c4a050e06cdb59beb0a169da9333a1394

100 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The sample exhibits a critical heuristic for XOR-encoded strings with a key of 0x95, and a high heuristic for a significant OLE slack space anomaly. These indicate a deliberate attempt to hide malicious content within the document. The presence of an embedded URL, though confirmed benign, is noted. Without a document body or scripts, the exact payload or delivery mechanism cannot be determined, but the obfuscation techniques strongly suggest a malicious intent, likely for phishing or malware distribution.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc', 'VirtualAllocEx', 'VirtualProtect', 'VirtualProtect', 'VirtualProtectEx', 'CreateProcessA'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 202,239 bytes but its declared streams total only 16,486 bytes — 185,753 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.seoul.intercontinental.com/intro.htm

Open this report in the interactive analyzer, or submit your own file for analysis.