Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0485acc0f8533c94…

MALICIOUS

Office (OLE)

31.5 KB Created: 1998-09-01 14:28:56 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 94edf0264e64bbbf691f702b41909b65 SHA-1: b23459365f2db4da6c705e2dc624084fcb528884 SHA-256: 0485acc0f8533c94881117809440cbbf8269ccb03dde0a469921f283c573db41
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a malicious Excel 5 document by multiple critical heuristics, specifically flagging the presence of the Laroux macro virus. The embedded OLE structure also shows suspicious anomalies, suggesting deliberate obfuscation. The ClamAV detection name 'Legacy.Trojan.Agent-497' further supports its malicious nature.

Heuristics 5

  • ClamAV: Legacy.Trojan.Agent-497 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-497
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 21,615 bytes but its declared streams total only 0 bytes — 21,615 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00002991.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x2991 21615 bytes
SHA-256: 162aedfa03282d54110c2a7965542cdcfd6df74053cdf95e7cd707ef13607623