Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 86af976a116861ca…

MALICIOUS

Office (OLE)

47.5 KB Created: 1996-02-08 15:08:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14
MD5: ca72df1489c8763f1dc8c097467367b2 SHA-1: 4881f37365040cdd97c02c03a3546fbcdc09657f SHA-256: 86af976a116861ca6bc8d2f1075e55ba207afe18baf3eb1a6142dbb95e9fad4c
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

This legacy WordBasic macro virus, detected as Win.Trojan.Nuclear-6 and Win.Trojan.Nuclear-7, contains multiple macros designed to infect the global macro area and potentially drop other malware. The 'AutoExec' and 'AutoOpen' macros attempt to copy themselves to the global template, ensuring persistence and infection of new documents. The document body explicitly mentions dropping another virus and a payload to destroy critical system files.

Heuristics 6

  • ClamAV: Win.Trojan.Nuclear-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Nuclear-6
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 48,640 bytes but its declared streams total only 28,286 bytes — 20,354 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off00001160.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x1160 44192 bytes
SHA-256: ccfc3e7ce95cd2c5abc8ca20e3ef4857ad41e5e45b6803a2ac908abdea28b96f
Detection
ClamAV: Win.Trojan.Nuclear-7
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.