Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1eba9052ed9b718b…

MALICIOUS

Office (OLE)

5.26 MB Created: 2010-05-18 19:36:00 Authoring application: Microsoft Word 10.0
MD5: 6c4e0185c6dde936a16b63fee6aac7d9 SHA-1: 30d14de82e67b0a090180612de2fea35c93ac4b1 SHA-256: 1eba9052ed9b718ba430143ca6b262d3674a71604ca05d14e2b9a1dd101d5cd0
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1566.002 Spearphishing Attachment

The file exhibits multiple indicators of malicious activity, including the presence of VBA macros and an embedded PDF with suspicious static findings. ClamAV detections for 'Ppt.Malware.Laroux-10036124-0' and 'Xls.Trojan.Escape-1' on an extracted artifact strongly suggest a malware infection. The Auto_Open macro and XLM macro sheet indicate an attempt to execute code upon opening. The embedded PDF likely serves as a secondary stage for payload delivery.

Heuristics 7

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Ppt.Malware.Laroux-10036124-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Malware.Laroux-10036124-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/iX/1.0/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
fb2929454da53a7c274256eb0b38ca9476f9f1c61d52f3b7e15bf6ac20b85c3e		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2073 bytes
Detection
ClamAV: Xls.Trojan.Escape-1
Obfuscation or payload: unlikely
font_00_cff_off000431f9.bin
a770cb28f89ecd72096a0bc4ccec710ec21cdf34367c91095e6ad5de0b92aa65		 pdf-font-stream PDF embedded font (cff) at offset 0x431F9 2760 bytes
font_01_cff_off00043d0f.bin
078c218c1a6e5d541b08b52d6b0efc35bda6be37e09cd8c9933a89050e41158e		 pdf-font-stream PDF embedded font (cff) at offset 0x43D0F 4386 bytes
font_02_cff_off00044d80.bin
2679b7736a4ec66b0542981333fce3946d21a61b92e1a8349888c8db552eded5		 pdf-font-stream PDF embedded font (cff) at offset 0x44D80 4339 bytes
font_03_cff_off000485f1.bin
d4949afe5458e1dbda32a5f424b511a83029ecbb91864b69ec9de91bc440266f		 pdf-font-stream PDF embedded font (cff) at offset 0x485F1 4685 bytes
font_04_cff_off000497f4.bin
64cb3474185a23c7d5d1667a85e99ad5b4bd2284eaf66d200e4325f91816d4ac		 pdf-font-stream PDF embedded font (cff) at offset 0x497F4 3653 bytes
polyglot_child_pdf_off00038c00.pdf
6df8b76096d55c55e43236a28adf05a39af24e85cb7b5b64d6626cd55ff8594e		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x38C00 5286400 bytes
polyglot_child_pdf_off0007aa00.pdf
6dfd6e89de0a56979de82c5c3ad802797baff02ced9404713489073fd0bfcabd		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x7AA00 5016576 bytes
polyglot_child_pdf_off0007f200.pdf
e8d27afd55dfa2dd2d7fa9b046022c43246d392e1e5f809e57be8f6f78767591		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x7F200 4998144 bytes
polyglot_child_pdf_off00093c00.pdf
9b5802114e14bdbe06808c3d2106c27a1403f162e9ca35a2e30f083b6306ded7		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x93C00 4913664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.