Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 308420fc7178b9ee…

MALICIOUS

Office (OLE)

55.5 KB Created: 2011-04-04 06:50:00 Authoring application: Microsoft Office Word First seen: 2015-09-30
MD5: 8c574af9f793ca1e2f7c4fc4786bed63 SHA-1: b257323349e76b6e13cd4d0a80ef603707a567b2 SHA-256: 308420fc7178b9eed8376ea13699866296434c93c5947fadbe0372b3ab16a773
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing indicates the presence of an embedded Adobe Flash (SWF) object within the OLE document. This is a common technique for delivering exploits targeting vulnerabilities in Flash Player. The OLE slack anomaly further suggests potential obfuscation or padding within the file structure. No document body text or scripts were extracted, limiting further analysis of the specific exploit or payload.

Heuristics 2

  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 56,860 bytes but its declared streams total only 22,169 bytes — 34,691 bytes (61%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).