Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 e8554ec3678d89e6…

MALICIOUS

Office (OLE) / .DOC

162.0 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word
MD5: b19bb23be023dc2bf959eae8a6193653 SHA-1: 3e9f6fcbdc8634576a68af605c228b66eb08b684 SHA-256: e8554ec3678d89e64b19c5ced6d490817eb9ede3f0fed53999116d2c55b7a2e5
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a malicious OLE document exhibiting several high-severity heuristic firings, including PEB access, API hash resolution, and XOR-encoded strings, indicating sophisticated evasion techniques. The large slack space and embedded EMF object suggest attempts to hide malicious content. While VBA macros could not be extracted, the presence of embedded URLs and the overall structure point towards a downloader or exploit delivery mechanism. The attack pattern is inferred from the common use of such documents to exploit Office vulnerabilities.

Heuristics 6

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'kernel32.dll', 'kernel32.dll', 'kernel32.dll', 'advapi32.dll', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualAlloc'
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 165,888 bytes but its declared streams total only 61,092 bytes — 104,796 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.