Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e4906dbb1a26c868…

MALICIOUS

Office (OLE)

259.6 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 0b6b7cc8705ce9f404eff9a785a6de97 SHA-1: 94e83f1643ff65ea2328cfa91c813ac13589a59f SHA-256: e4906dbb1a26c86801fdecb80b4aaa33b30ad58b3be765b3d3aaa91144653eb5
140 Risk Score

Malware Insights

The file is a malicious Office document exhibiting a NOP sled and XOR-encoded strings, indicating a likely attempt to obfuscate malicious code. The large amount of slack space in the OLE structure further suggests the presence of embedded, potentially malicious, content. Without a document body or script content, the exact payload and delivery mechanism remain unclear, but the heuristics strongly point to code execution.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 265,839 bytes but its declared streams total only 16,486 bytes — 249,353 bytes (94%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.