Office (OLE) malware analysis — malicious · 037f461c5880910c

MALICIOUS

Office (OLE)

234.1 KB First seen: 2019-09-30

MD5: 112c01fa3a841380b945cc7aabbd0e3d SHA-1: 9ed9784d7997a95645f44b2fbcf681f447bf9b4f SHA-256: 037f461c5880910ca97d612bd1db6f2d16ab48e8482a3f02a4892c0746d02a5c

88 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1105 Ingress Tool Transfer

The OLE document exhibits significant slack space and an appended executable payload, indicating it's designed to deliver malware. Although the VBA macros contain no executable statements, the presence of appended executable content strongly suggests the file's malicious intent. The file is classified as malicious with a high risk score.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 239,696 bytes but its declared streams total only 12,556 bytes — 227,140 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 671 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	671 bytes
SHA-256: `951208b608f8616684e7f652db35c4e21fc13440c541a1e128fc5562ec7888f1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "TreeView1, 1, 0, MSComctlLib, TreeView" Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 951208b608f8616684e7f652db35c4e21fc13440c541a1e128fc5562ec7888f1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TreeView1, 1, 0, MSComctlLib, TreeView"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.