Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 642ffe51702cc682…

MALICIOUS

Office (OLE)

112.0 KB Created: 2010-08-05 08:16:22 Authoring application: Microsoft Excel
MD5: bf764e136797a17b5deaebc00b64ac73 SHA-1: 78bca8d6200e361d84b36e3c18c105fb0ebae8a5 SHA-256: 642ffe51702cc682bbd4713dec7b525e16534c8ef9498f4937e4732fdf40be17
70 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is a malicious Microsoft Excel document exhibiting a heap spray pattern, indicating an attempt to exploit a memory corruption vulnerability. The presence of a NOP sled further supports this. While VBA macros are present, they do not contain executable statements, suggesting the exploit payload is likely embedded or constructed differently. The primary IOC is the file's SHA256 hash.

Heuristics 4

  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
eec9dd1bb7691ddcc786dc3865e41cb05e31f3f8c93b42d2ab24beb8c99929e0		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 65909 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 88 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.