Office (OLE) malware analysis — malicious · 5d2cf1287479d42c

MALICIOUS

Office (OLE)

68.0 KB Created: 2006-09-28 17:06:00 Authoring application: Microsoft Office Word First seen: 2015-09-30

MD5: a9fcabc1b02586ac50ba6f98e3486de0 SHA-1: 50006f0f6e2f0e622f90eed47ad127f449bfc2fc SHA-256: 5d2cf1287479d42c59135235cb3373a5ff3f82e5ea5a925acf5ef65e5bb0b763

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious due to the exploitation of CVE-2012-0158, a known vulnerability in Microsoft Office's MSComctlLib.Toolbar control. This exploit allows for arbitrary code execution when the document is opened. The presence of OLE slack anomalies further suggests potential obfuscation or malicious padding within the file structure.

Heuristics 3

MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856

MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
ClamAV: Doc.Exploit.CVE_2012_0158-17 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-17
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 69,632 bytes but its declared streams total only 16,640 bytes — 52,992 bytes (76%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.