Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f979cbd5eac076df…

MALICIOUS

Office (OLE) / .DOC

88.5 KB Created: 2007-11-03 09:34:00 Authoring application: Microsoft Office Word
MD5: 06056c261ea5a34766320c8ed3a2d426 SHA-1: 87ee35455e3158f01e0efdf89bb7a9f444e1bdb1 SHA-256: f979cbd5eac076df7390347976ddac74e857bc6544a2a8f246575f4b086d1884
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file exhibits characteristics of a malicious document, specifically XOR-encoded strings and a significant amount of slack space within the OLE structure. These anomalies indicate an attempt to conceal malicious code or data. Without further script or body content, the exact payload and delivery mechanism remain unclear, leading to an unknown family classification.

Heuristics 2

  • XOR-encoded strings (key 0x6D) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0x6D: 'LoadLibraryA', 'CreateProcessA', 'ExitProcess', 'CreateFileA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 90,624 bytes but its declared streams total only 20,639 bytes — 69,985 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.