MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Although VBA macros could not be extracted due to an unsupported format, the document body presents itself as a series of application forms for permits. This suggests a social engineering lure, aiming to deceive the user into interacting with the document in a way that could lead to further compromise. The lack of extractable scripts or specific IOCs limits further analysis of the exact payload.
Heuristics 2
-
Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 54,272 bytes but its declared streams total only 21,308 bytes — 32,964 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Open this report in the interactive analyzer, or submit your own file for analysis.