Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6811c864bd3a60e…

MALICIOUS

Office (OLE)

357.3 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0
MD5: 7992c5a7f3f2dd82233c013e5bfe24ec SHA-1: 856e0f392e5402369271b0538f84d1414d65a6af SHA-256: e6811c864bd3a60e3b7c6691bd82eb8ab216975b2b75675ae95245982bdfa89a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file exhibits characteristics of a malicious OLE document, including a detected NOP sled and XOR-encoded strings. The large slack space in the OLE structure further indicates potential obfuscation or embedded malicious content. Without a document body or scripts, the exact payload and delivery mechanism remain unclear, but the detected heuristics strongly suggest an attempt to execute arbitrary code.

Heuristics 3

  • XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'LoadLibraryA', 'GetProcAddress'
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 365,832 bytes but its declared streams total only 16,486 bytes — 349,346 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.