Office (OLE) / .DOC malware analysis — malicious · f9f65ce04be8070b

MALICIOUS

Office (OLE) / .DOC

125.1 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 7ea58520387363d9b2c67f9c757cf470 SHA-1: 4889f52a3c0fe13d750252f78a74754a056be858 SHA-256: f9f65ce04be8070b9af8a6e3cca1a536f7f7d225655b8a3df268bf879c31da06

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The sample is a malicious OLE document containing a large slack space anomaly and multiple high-severity heuristic firings. These include detection of a NOP sled, PEB access, and an API-hash resolver, indicating attempts to obfuscate and execute shellcode. The critical finding of XOR-encoded strings with a key of 0xFF suggests the presence of obfuscated malicious content within the document. While no specific exploit is identified, the combination of these indicators points to a likely attempt to execute arbitrary code upon opening.

Heuristics 5

XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc', 'VirtualProtect', 'ExitProcess', 'CreateFileA', 'OpenProcess'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 128,097 bytes but its declared streams total only 61,092 bytes — 67,005 bytes (52%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.