Office (OLE) / .EXE malware analysis — malicious · 69c8432cd6192528

MALICIOUS

Office (OLE) / .EXE

42.0 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel

MD5: 00963eadd215813a1eca255679a457fd SHA-1: 994c765855651603f2781f0519a639e472f2cc57 SHA-256: 69c8432cd61925280d6861d7f2001d21dd58db334ae5ee2a8099e79aaf91d788

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE executable containing VBA macros, with a critical finding for an embedded Office document and high severity findings for Auto_Open macros and OLE slack anomalies. The Auto_Open macro attempts to save a file named 'Eclipse.xls' to the application's startup path, indicating a likely downloader or persistence mechanism. The embedded document and macro structure suggest a malicious intent to execute further stages.

Heuristics 5

Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 16,671 bytes but its declared streams total only 0 bytes — 16,671 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `9f45184379f3260eea8004d4c316f6caaae401d3c9a4a61986e16b470d9c1f39`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8648 bytes
`embedded_office_off000066e1.ole` `2489808873e934fc0f137678988d4218aa1ced016ccb4ffe451e11b45d19bc06`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x66E1	16671 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.