Office (OLE) malware analysis — malicious · fa79a9202984f109

MALICIOUS

Office (OLE)

79.5 KB Created: 2007-12-03 01:19:00 Authoring application: Microsoft Word 9.0

MD5: 06bedf421d0871b11ea77827b1e802c7 SHA-1: 39f54dd1bc24fd818fc2afb94eb0dc790d5966e7 SHA-256: fa79a9202984f1099fa8b48350fd559fb5c234c1647218b9f934bf7b4da6d1c3

140 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information

The file is identified as a malicious OLE document. Static analysis detected a NOP sled and XOR-encoded strings, indicating an attempt to obfuscate malicious content. The large amount of slack space in the OLE structure is also anomalous. Without further script or body content, the exact payload and delivery mechanism remain unclear, but the presence of these indicators strongly suggests an attempt to execute arbitrary code.

Heuristics 3

XOR-encoded strings (key 0x95) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x95: 'kernel32.dll', 'kernel32.dll', 'iphlpapi.dll', 'GetProcAddress', 'GetProcAddress', 'VirtualAlloc', 'CreateProcessW', 'RegOpenKeyExW'
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 81,408 bytes but its declared streams total only 16,486 bytes — 64,922 bytes (80%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.