Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 71c91362ff7c2fb0…

MALICIOUS

Office (OLE)

24.5 KB Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 58aa79a76d72cd1ca0d467889c067521 SHA-1: 6028b69cedfe22753c1be1f188956d685bec8be0 SHA-256: 71c91362ff7c2fb04a31d3e450b68952e5b46cfafe992614d29e8cf585c6012d
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an OLE document with suspicious structural anomalies, including a large unaccounted-for region and unreadable streams, indicating potential obfuscation. ClamAV detections of 'Legacy.Trojan.Agent-498' on both the main file and an embedded artifact strongly suggest malicious intent. The document body's text, 'Listen mit Überraschung', is likely a lure to encourage user interaction, possibly to enable macros for further execution.

Heuristics 4

  • ClamAV: Legacy.Trojan.Agent-498 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-498
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 17,560 bytes but its declared streams total only 0 bytes — 17,560 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00001d68.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x1D68 17560 bytes
SHA-256: f126f0e12145ba95ed71d3633a78d7678ecbdd48890921facb01940b3bd32a32
Detection
ClamAV: Legacy.Trojan.Agent-498
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.