Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 299cf9a2572462a6…

MALICIOUS

Office (OLE)

169.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel
MD5: 33a20a2c4b1302ab912963f43a57c2f6 SHA-1: 18055481ccf9aaca2601e9b7d97fc3cc2447e7d9 SHA-256: 299cf9a2572462a6f5c7dfa1c5fb7a955bd1382cdeaaf162ffe4f37c03348a2e
128 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OLE document identified as malicious. It contains a high-severity heuristic indicating exploitation of CVE-2012-0158 via MSCOMCTL.ListView. Additionally, a large slack space anomaly suggests potential obfuscation or embedded malicious content. No VBA macros were found to contain executable statements, and no scripts were extracted.

Heuristics 4

  • MSCOMCTL.ListView — CVE-2012-0158 high CVE likely CVE_2012_0158
    MSCOMCTL.ListView — CVE-2012-0158
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 173,576 bytes but its declared streams total only 42,799 bytes — 130,777 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1393fb9c6c18f41eb0fa3c4533b46ef8e1670352e75321cc8504cd42cae698a3		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1271 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.