Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0b2736809a2b3bec…

MALICIOUS

Office (OLE)

151.5 KB Created: 2007-09-18 04:34:00 Authoring application: Microsoft Word 11.
MD5: dccbfdb98c405121f72bf40c7a8bb508 SHA-1: 25cf3c4d68cff914ae195e6974c44819ca1026be SHA-256: 0b2736809a2b3becc5fcf6665aed47c7770ba1c7a89c4dafd9fab7253a258aca
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OLE document with significant appended payload bytes and a high slack anomaly, indicating it is likely a container for malicious content. Static triage identified an embedded Office document with suspicious findings, including an appended payload. The document body contains obfuscated strings that, when reconstructed, point to registry modifications for persistence via 'HKCU\Software\Microsoft\Office\11.0\Word\Resiliency\DisabledItems\h', and also contains embedded URLs that could be used to download further stages.

Heuristics 5

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 155,184 bytes but its declared streams total only 16,486 bytes — 138,698 bytes (89%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tibet.net/en/index.php?id=1391&articletype=flash&rmenuid=morenews&tab=1
    • http://www.5iantlavalamp.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00004c00.ole
afebf655fa87bafd46465d605e6594cf23c3d7064cb629579887ca8919aa09d4		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4C00 135728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.