Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3f0be947dcb4e7fe…

MALICIOUS

Office (OLE)

55.0 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 95fb3b1b0ae8460e9eca2308f17df035 SHA-1: a3c22eadbf5870a34c9b6561e25f76fe75a84718 SHA-256: 3f0be947dcb4e7fe5459cf9e16e35ac926ed608a18f43670441dbe351ccf8739
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Legacy.Trojan.Agent-231. Static analysis reveals suspicious OLE structure with large slack space and empty streams, indicating potential evasion techniques. The presence of embedded OLE objects suggests a multi-stage attack, likely initiated via spearphishing, where these embedded objects would be used to execute further malicious code.

Heuristics 4

  • ClamAV: Legacy.Trojan.Agent-231 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-231
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 47,313 bytes but its declared streams total only 0 bytes — 47,313 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off0000232f.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x232F 47313 bytes
SHA-256: f7b125ca4e519d6a5628b90447d21ae540267e6b61e69a57ecc9c8837de9d3e8
Detection
ClamAV: Legacy.Trojan.Agent-231
Obfuscation or payload: unlikely
embedded_office_off00005651.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5651 34223 bytes
SHA-256: 840da1a880b6193de7b569e12bf6a4dda61775fe5333b979240c92028f02e624

Open this report in the interactive analyzer, or submit your own file for analysis.