Win.Trojan.Shuffle-1 Office (OLE) malware analysis — malicious · 176e63693b1e4c77

MALICIOUS

Office (OLE)

23.5 KB Created: 1997-04-14 17:28:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14

MD5: cdeb302a2d334c7c217e0a530da21b66 SHA-1: 681c16e224ef5f2485661ddfd2e3cf591738d4e1 SHA-256: 176e63693b1e4c77a260edd888e6391495363009d239c1a11d41b0bcfea4e598

280 Risk Score

Malware Insights

Win.Trojan.Shuffle-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus, as indicated by heuristic firings and ClamAV detection as 'Win.Trojan.Shuffle-1'. The embedded document structure and the presence of macro-related keywords like 'autoopen' and 'ToolsMacro' suggest an attempt to execute malicious code upon opening. The obfuscated nature of the DOC BODY content, using functions like 'EditReplace' with seemingly random strings, points to a payload delivery or execution mechanism.

Heuristics 5

ClamAV: Win.Trojan.Shuffle-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Shuffle-1
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 18,750 bytes but its declared streams total only 0 bytes — 18,750 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_off000014c2.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x14C2	18750 bytes
SHA-256: `597a4d05fc99c3282720201f1872095fbde9acab0eb6dc3e6030bd07e6e04e1e`
Detection ClamAV: Win.Trojan.Shuffle-1 Obfuscation or payload: unlikely
`embedded_office_off000032a6.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x32A6	11098 bytes
SHA-256: `bf789a59d919d23864be6d98ba2ae123a0175b9c1700346db1b4c96772a21704`
Detection ClamAV: Win.Trojan.Shuffle-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.