Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd3578a7b5316496…

MALICIOUS

Office (OLE)

107.0 KB Created: 2009-02-26 07:53:00 Authoring application: Microsoft Office Word
MD5: e3701c95bf908258886e62858821f839 SHA-1: e09492849f65c1fdfb50ea1f726547908a592763 SHA-256: fd3578a7b5316496213f3eda33f75cc620619ca0d4ec981bb66cbb96469423f1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The file is identified as malicious due to a critical heuristic firing for XOR-encoded strings with a key of 0xC2. Additionally, a high severity heuristic indicates a significant slack space anomaly within the OLE document structure, often used to hide malicious code. The document body contains only the word 'Mary', providing no contextual clues. The combination of obfuscation and structural anomalies strongly suggests a malicious document, likely a downloader or dropper, though the exact payload and delivery mechanism cannot be determined from the available evidence.

Heuristics 2

  • XOR-encoded strings (key 0xC2) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0xC2: 'advapi32.dll', 'RegOpenKeyExA'
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 109,600 bytes but its declared streams total only 16,543 bytes — 93,057 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.