Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 44b88392812fe008…

MALICIOUS

Office (OLE)

2.49 MB First seen: 2026-05-10
MD5: f3d30c602141bc5346d74efb8c830b8c SHA-1: b17e834d9bd27af69c01b585a3592f14f64fe749 SHA-256: 44b88392812fe00877d58069d8c7eb046462891a125f617f35e5053ce3ccd6b3
240 Risk Score

Heuristics 7

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Default-encrypted OOXML embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Default-encrypted OOXML contains embedded Equation Editor data with anomalous native stream bytes consistent with a CVE-2018-0798-style exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    0025D902  648b4030          mov eax, dword ptr fs:[eax + 0x30]
    0025D906  96                xchg esi, eax
    0025D907  d57a              aad 0x7a
    0025D909  fb                sti
    0025D90A  de493c            fimul word ptr [ecx + 0x3c]
    0025D90D  e0ea              loopne 0x25d8f9
    0025D90F  f1                int1
    0025D910  55                push ebp
    0025D911  b924d92e0c        mov ecx, 0xc2ed924
    0025D916  c81ff1d9          enter -0xee1, -0x27
    0025D91A  7420              je 0x25d93c
    0025D91C  92                xchg edx, eax
    0025D91D  d0bc4752e2803c    sar byte ptr [edi + eax*2 + 0x3c80e252], 1
    0025D924  0bc4              or eax, esp
    0025D926  44                inc esp
    0025D927  07                pop es
    0025D928  d7                xlatb
    0025D929  c87f82f7          enter -0x7d81, -9
    0025D92D  005646            add byte ptr [esi + 0x46], dl
    0025D930  ad                lodsd eax, dword ptr [esi]
    0025D931  54                push esp
    0025D932  1bd0              sbb edx, eax
    0025D934  6f                outsd dx, dword ptr [esi]
    0025D935  50                push eax
    0025D936  353806d6fb        xor eax, 0xfbd60638
    0025D93B  ea0498bc462e7b    ljmp 0x7b2e:0x46bc9804
    0025D942  a5                movsd dword ptr es:[edi], dword ptr [esi]
    0025D943  6b5656ff          imul edx, dword ptr [esi + 0x56], -1
    0025D947  b19c              mov cl, 0x9c
    0025D949  8d37              lea esi, [edi]
    0025D94B  ed                in eax, dx
    0025D94C  9e                sahf
    0025D94D  4f                dec edi
    0025D94E  36ea88a055ecf497  ljmp 0x97f4:0xec55a088
    0025D956  a07a6a16cd        mov al, byte ptr [0xcd166a7a]
    0025D95B  d9939ecee6f9      fst dword ptr [ebx - 0x6193162]
    0025D961  88                .byte 0x88
  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Default-encrypted OOXML embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is exploit-shaped Equation/OLE payload evidence.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007+, AES-128)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.