Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2c61e34550317d10…

MALICIOUS

Office (OLE)

1018.0 KB Created: 1998-04-08 22:11:32 Authoring application: Microsoft PowerPoint 4.0 First seen: 2015-09-14
MD5: 0815b64b062cefcc0355ade7bf030118 SHA-1: cac9edddfa1043559ac7ccaa3eca0194991d4673 SHA-256: 2c61e34550317d1091cf4fd7108a9dad5bb646dd4bd28407783f872cedc889db
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an OLE container with suspicious static findings, including a large slack space anomaly and an embedded Office document with its own static triage findings. The document body discusses Just-in-Time (JIT) and Lean Operations, likely as a lure. The presence of embedded Office documents suggests an attempt to deliver a secondary malicious payload, potentially exploiting vulnerabilities or delivering further malware.

Heuristics 3

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 60,978 bytes but its declared streams total only 4,740 bytes — 56,238 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: Ole10Native 896 bytes
SHA-256: bc1de09bd8f7a3d8ff725b8fa0d1ef9c6f964ff830273d249d5df203b2f07dca
embedded_office_off000ef9ce.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xEF9CE 60978 bytes
SHA-256: 99fe05eb670bc20262a322c3d9e746f015d323abea008c864d6f72ce7726f9c2
ole10native_00_1.bin ole-package OLE Ole10Native stream: Ole10Native 896 bytes
SHA-256: 6a6584703e2cfadf651a0bac3acc2be36fbcbab741a30bbacf06aeda4f1387c8
embedded_office_off000f17d6.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xF17D6 53290 bytes
SHA-256: 81f6c4534dd0396d27eba7375ddc2d3c78d54feacaa26d167ed0c455569ad25a

Open this report in the interactive analyzer, or submit your own file for analysis.