Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 16b07711fbea5b8c…

MALICIOUS

Office (OLE)

98.5 KB Created: 1999-11-22 07:58:00 Authoring application: Microsoft Word 8.0
MD5: 7b04dd1f512bb8be81ebddf7451e6d76 SHA-1: 20a2f1ffa8193e983fff44e371cb8c029b34692c SHA-256: 16b07711fbea5b8c9ffa435c60cbb8b233aa2dcd20644979978e033a5cc29253
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon opening. Heuristics indicate suspicious OLE structure and embedded Office documents, suggesting an attempt to evade detection. The presence of these macros and embedded artifacts strongly suggests a macro-based malware delivery.

Heuristics 8

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-37
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 64,877 bytes but its declared streams total only 0 bytes — 64,877 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
66b82612b639e25917d5c34d80f200299cb3e9284c06920e9b63241a4e09dde8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 17867 bytes
Detection
ClamAV: Doc.Trojan.Class-1
Obfuscation or payload: unlikely
embedded_office_off00008c93.ole
fce16d8d93375719d7e8da73143f6a5389707f5f2856d6673c03b7dff570f26a		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x8C93 64877 bytes
embedded_office_off000090ae.ole
a2e97a31de6b014a0e319c9e17209989746f28ad956a1d88ef5ce04ed7ac1269		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x90AE 63826 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.