Malicious Office (OLE) / .UTF — malware analysis report

Static analysis result for SHA-256 7cfe6914316e9d5c…

MALICIOUS

Office (OLE) / .UTF

706.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2026-05-10
MD5: 0c1388c2da05d40fbdac9a5934fbe29c SHA-1: 77e97f040c94a08f9894322a9fd175c86344b2e2 SHA-256: 7cfe6914316e9d5c89de45a7c7b2981ae90e74ea22f0b3fe5f2294372120ffb5
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified as malicious due to a critical heuristic firing for the CVE-2008-3005 exploit in Excel. This vulnerability allows for arbitrary code execution, which is a common method for delivering further malicious content. The large amount of slack space in the OLE structure also suggests potential obfuscation or padding related to the exploit.

Heuristics 2

  • Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005
    Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 723,456 bytes but its declared streams total only 21,308 bytes — 702,148 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).