Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 00497feca10ccc18…

MALICIOUS

Office (OLE)

120.9 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2013-06-03
MD5: a41ad8c03a0c1d51d5a2b315fd36b41d SHA-1: 4c1f078029ac2251b46dd17c806713d37d0cb80d SHA-256: 00497feca10ccc183adec3a80916a391b0589001bb9615c718bfbb6cfde39707
100 Risk Score

Heuristics 2

  • Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005
    Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 123,773 bytes but its declared streams total only 21,308 bytes — 102,465 bytes (83%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).