Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5d6f266458b291e2…

MALICIOUS

Office (OLE)

67.5 KB Created: 2011-03-17 06:00:37 Authoring application: Microsoft Excel First seen: 2015-10-01
MD5: c34b335d9b0ef819a8d56f95424d1ff0 SHA-1: 01a5b801cdd44605294795d7fa1994cce1d23180 SHA-256: 5d6f266458b291e22c82b1fdc2dba64772336f4cdac9e613e905040633f9a260
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel OLE document identified as malicious. It contains an embedded Adobe Flash (SWF) object, a known vector for exploiting vulnerabilities. While the VBA macro source itself contains no executable statements, the presence of the legacy Flash object suggests an attempt to leverage Flash Player exploits for initial execution. The embedded artifact is a VBA macro file named macros.bas.

Heuristics 3

  • Legacy Flash object embedded in Office document high CVE related OFFICE_LEGACY_SWF_OBJECT
    Office document embeds a ShockwaveFlash ActiveX object with a legacy SWF version (8). This is old Flash-in-Office exploit-family evidence, not a specific Flash CVE without SWF tag-level validation.
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 987 bytes
SHA-256: 56845bb35fdf791b2d2b0ce90d464da9f81eef6f5c9562346451e8a85cc26aca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ShockwaveFlash1, 1, 0, ShockwaveFlashObjects, ShockwaveFlash"

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True