Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 0b1cc74acde60899…

MALICIOUS

Office (OLE) / .EXE

237.9 KB Created: 2005-06-03 06:06:00 Authoring application: Microsoft Word 10.0
MD5: d340b78d94334067657af6560a7d0dd5 SHA-1: f781f2c815b4df92e47f46ec46502f0e93f6ccec SHA-256: 0b1cc74acde60899d91193689f74d866f551522b54f4a46528673431099b4bfc
170 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Win.Exploit.MS03-1, indicating it exploits a known vulnerability. The presence of VBA macros, though not executable, and the OLE structure with significant slack space suggest a packed or obfuscated executable. The document body content is a press release, likely a lure, while the embedded URLs are benign.

Heuristics 5

  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'KERNEL32.DLL', 'KERNEL32.DLL', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryW', 'LoadLibraryExA'
  • ClamAV: Win.Exploit.MS03-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.MS03-1
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 243,606 bytes but its declared streams total only 25,865 bytes — 217,741 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.amnesty.org
    • http://news.amnesty.org

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fde7b1f57154583c2d0b2ef86eb7ed80a65693d660b415bbc87c8437e893b2db		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.