Office (OLE) malware analysis — malicious · 16b9ebb8a1920484

MALICIOUS

Office (OLE)

243.4 KB First seen: 2015-09-17

MD5: 4e759b6f8d6311dc6e666d6227d87c20 SHA-1: 0875765be96dd419665085d054fbe515315a15d6 SHA-256: 16b9ebb8a192048437437bf2b74e9510e1479720abd5dbf20a55b3205d7ad83a

88 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The OLE document exhibits anomalies in its structure, including a large slack region and an appended payload, indicative of malicious intent. While the VBA project itself contains no executable statements, the presence of appended executable-looking bytes and the overall OLE structure strongly suggest the file is a dropper or loader for further malicious activity. The SHA256 hash is included as a primary indicator.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 249,200 bytes but its declared streams total only 117,280 bytes — 131,920 bytes (53%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 671 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	671 bytes
SHA-256: `11993efa3cba2fc6c51e24c164f8f6ee10667f9dc6a11024b0790cb1a63a4c71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ListView2, 1, 1, MSComctlLib, ListView" Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 11993efa3cba2fc6c51e24c164f8f6ee10667f9dc6a11024b0790cb1a63a4c71

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView2, 1, 1, MSComctlLib, ListView"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.