Win.Trojan.PTH-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 55bba09abfc172d7…

MALICIOUS

Office (OLE)

110.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 404e1b4f076979d95417fcfc07c92adc SHA-1: fc4ad8860d1efe93466c250bb6ecd8d78de2fa46 SHA-256: 55bba09abfc172d7c435a629067a56455afae5cc12e4ee2b2762d5f8dce6d22f
240 Risk Score

Malware Insights

Win.Trojan.PTH-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a malicious Excel 5 document by multiple critical heuristics, including a specific marker for the Laroux macro-virus. The presence of VBA macro markers and the ClamAV detection as Win.Trojan.PTH-1 strongly indicate its malicious nature. The embedded OLE document and anomalous slack space suggest an attempt to evade static analysis.

Heuristics 5

  • ClamAV: Win.Trojan.PTH-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PTH-1
  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 101,759 bytes but its declared streams total only 0 bytes — 101,759 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00002c81.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x2C81 101759 bytes
SHA-256: bb02b908fa8f8c0451f801358a1b1a98ef5097d84b6e9736ee351d858c66cb3f

Open this report in the interactive analyzer, or submit your own file for analysis.