Malicious Office (OLE) / .EXE — malware analysis report

Static analysis result for SHA-256 6c8a758d5c9342a3…

MALICIOUS

Office (OLE) / .EXE

301.5 KB Created: 1999-02-08 09:24:15 Authoring application: Microsoft Excel
MD5: dd982dec3a6f433027616ada5e2035a6 SHA-1: dfcb2ef725047d7d158e61ba14e8cf9ccdc01d37 SHA-256: 6c8a758d5c9342a3b1c7f097cb0fa9009533120f227ce3dd2ea0397798909c74
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is identified as a malicious Excel 5 document containing the 'Laroux' macro-virus marker. Heuristics indicate embedded Office content with anomalous OLE structure, suggesting an attempt to hide malicious components. The presence of VBA macro markers strongly suggests the execution of Visual Basic code, likely to exploit vulnerabilities and achieve initial execution.

Heuristics 4

  • Excel 5 Laroux/Larou-CV macro-virus marker cluster critical OLE_XLS5_LAROUX_MACRO_VIRUS
    Legacy Excel workbook contains a Laroux/Larou-CV macro-virus marker cluster including auto_open execution and workbook/module replication strings. This is a narrow indicator for an infected legacy Excel macro workbook.
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 262,364 bytes but its declared streams total only 0 bytes — 262,364 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
764d7393b19744a570246d85899ec3f9049322d7d83c9f6cf618c1008f179e74		 ole-package OLE Ole10Native stream: MBD00009340/Ole10Native 38180 bytes
embedded_office_off0000b524.ole
91294b4d4ca124dfd87ca262ef027720aacf99b73e4d5351a904346838f65398		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xB524 262364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.