MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The file is identified as malicious with a critical heuristic firing for XOR-encoded strings, using the key 0xC2. Additionally, a high heuristic indicates a significant amount of slack space within the OLE structure, suggesting obfuscation or embedded malicious content. An embedded URL was also detected. The presence of these indicators points towards a malicious document, likely a downloader or dropper, though the specific family is not identifiable.
Heuristics 2
-
XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODEDFound 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 173,060 bytes but its declared streams total only 16,543 bytes — 156,517 bytes (90%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.