MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1559.001 Component Object Model Hijacking
The file is an OLE document with a significant amount of slack space and embedded EMF objects, indicating a potential for malicious content delivery. The 'Unsupported Office format for VBA extraction' heuristic suggests that standard macro analysis was not possible, but the presence of embedded objects points towards an attack pattern involving their exploitation. The document body contains references to embedded Excel and PowerPoint objects, further supporting this.
Heuristics 3
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 120,832 bytes but its declared streams total only 31,351 bytes — 89,481 bytes (74%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Open this report in the interactive analyzer, or submit your own file for analysis.