Doc.Trojan.LoneRaider-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 4c2f8ac419a19804…

MALICIOUS

Office (OLE)

25.0 KB Created: 1996-11-21 17:11:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: 5c841c1d82b8adba31f0fb05cb7965e8 SHA-1: d9da5cfbdcc63b1653778619cb81590c0a0a5edc SHA-256: 4c2f8ac419a19804c2325c3175b4cf6fdbac694b5215da7bdd8edaeb67dfc898
240 Risk Score

Malware Insights

Doc.Trojan.LoneRaider-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as 'Doc.Trojan.LoneRaider-1' by ClamAV, indicating a known malware family. The embedded VBA macro code, when analyzed, reveals an intent to infect the user's system by copying itself to the Normal.dot template and other specified document paths, such as 'C:\LONE.DOC' and 'D:\LONE\LONE.DOC'. This behavior strongly suggests a malicious document designed for malware propagation.

Heuristics 4

  • ClamAV: Doc.Trojan.LoneRaider-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.LoneRaider-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 23,424 bytes but its declared streams total only 0 bytes — 23,424 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00000880.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x880 23424 bytes
SHA-256: e88995013c7c2ee9cee68d6945f19b04b5bd6d3e2a289965b42231e44d372130
Detection
ClamAV: Doc.Trojan.LoneRaider-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.