Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 63f3d949466b7907…

MALICIOUS

Office (OLE)

132.4 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel
MD5: 5560f06b12614b9a84cfef5726a96647 SHA-1: f0a1a98094ce24bdacbcdca8aad129b022335986 SHA-256: 63f3d949466b7907be269b4580efc4135e683a9687efb2a4684a0414eea91c04
270 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a significant slack space anomaly, indicating potential obfuscation or embedded content. It contains an embedded PE executable and an embedded SWF (Flash) object, strongly suggesting it acts as a dropper for a secondary malicious payload. The VBA macros themselves do not contain executable statements but reference controls for ShockwaveFlash, further supporting the presence of Flash content. The embedded executable is the primary IOC.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 135,536 bytes but its declared streams total only 18,407 bytes — 117,129 bytes (86%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0H
    • http://www.microsoft.com/pki/certs/tspca.crt0
    • http://crl.microsoft.com/pki/crl/products/WinIntPCA.crl0U
    • http://www.microsoft.com/pki/certs/MicrosoftWinIntPCA.crt0
    • http://update.microsoft.com/windowsupdate
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
    • http://www.microsoft.com/pki/certs/CSPCA.crt0
    • http://www.microsoft.com/windows0

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
a4437065eec84f88ff355b97d8611ccfb25f1b88dcdb05d0b8745564ec078a06		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1074 bytes
embedded_office_00005c00.exe
fc34c13b246b341416efec6096403ff8559088f2724b7400bc841eaf45db7ee3		 embedded-pe Office MZ+PE at offset 0x5C00 111984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.