Office (OLE) / .DOC malware analysis — malicious · dfa939e5530187a9

MALICIOUS

Office (OLE) / .DOC

48.0 KB Created: 2006-08-28 13:40:00 Authoring application: Microsoft Word 9.0

MD5: 9027e19fb3d45b9ed9a80fb112f3683a SHA-1: f7c1843d25e5208ad167d5d1c68e47a634128f7a SHA-256: dfa939e5530187a9fbaf04475c1fe8b2f6c350cd11e460abddd7338ae845a256

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The sample is a Microsoft Word document exhibiting an OLE slack anomaly and containing XOR-encoded strings, indicating obfuscation. The presence of these indicators suggests the document is designed to exploit a vulnerability, likely to download and execute a secondary payload. The specific nature of the exploit or payload could not be determined due to the lack of script content and the obfuscated nature of the document body.

Heuristics 2

XOR-encoded strings (key 0x92) critical SC_XOR_ENCODED

Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x92: 'advapi32.dll', 'shell32.dll'
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 49,152 bytes but its declared streams total only 23,704 bytes — 25,448 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.