Office (OLE) malware analysis — malicious · 84cddf45b37e0ccf

MALICIOUS

Office (OLE)

106.5 KB Created: 2004-01-19 11:54:52 Authoring application: Microsoft Excel First seen: 2016-07-20

MD5: f18ea2ea5e2aa6371c1133fafafb8184 SHA-1: 84d7bd077dbb603084c843b83d4287bb3ef2def4 SHA-256: 84cddf45b37e0ccfecc90754339ebbee1ba88022134865b289ff816a74d4691d

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.Yawn-6922876-0'. A heuristic firing indicates the presence of VBA p-code auto-execution with execution tokens, specifically 'ExecuteExcel4Macro', suggesting an attempt to run embedded code. Although VBA macros could not be fully extracted due to an unsupported Office format, the combination of these indicators points to a dropper or downloader functionality disguised within a document.

Heuristics 3

ClamAV: Doc.Dropper.Yawn-6922876-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Yawn-6922876-0
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (TypeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Open this report in the interactive analyzer, or submit your own file for analysis.