Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e26ac4059965f8b5…

MALICIOUS

Office (OLE) / .DOC

146.0 KB Created: 2008-03-05 03:19:00 Authoring application: Microsoft Office Word
MD5: 77e9f0d2d5d5c203e077083527e1a8bc SHA-1: b1a331380a469a2d8e4c4032b3dc05c5a8b7bb1e SHA-256: e26ac4059965f8b50898045c6062573fc1002a2e08defa9f9c197832cdbcf1b8
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The sample is a malicious OLE document. Static analysis revealed XOR-encoded strings with a key of 0x63, indicating an attempt to obfuscate content. Additionally, a significant portion of the file (86%) is slack space, further suggesting the presence of hidden malicious data. The document body is unreadable, providing no further context. No scripts were extracted from this sample.

Heuristics 2

  • XOR-encoded strings (key 0x63) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x63: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 149,504 bytes but its declared streams total only 20,635 bytes — 128,869 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.