Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 068b16d02baa84f5…

MALICIOUS

Office (OLE)

102.6 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: 074c689acefc030ba1b8a88d5b890a5d SHA-1: 72ed79deebb7a93ade3ec08fb9da262c8956e522 SHA-256: 068b16d02baa84f5785ec0ec55010b928dbde14d61bf19ac685cf98b30bc2a23
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OLE document with significant appended payload bytes and a high slack anomaly, indicating embedded malicious content. Static triage identified an embedded Office document with suspicious findings, including an appended payload. The presence of PEB access and the overall structure suggest the document is designed to execute a secondary stage, likely a downloader.

Heuristics 4

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 105,016 bytes but its declared streams total only 16,486 bytes — 88,530 bytes (84%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00004c00.ole
8995b00485acafa7af258748a9a256600f484f605dddf0cae20b0b9b2f00b01f		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4C00 85560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.