Office (OLE) malware analysis — malicious · 8d98155283c4d837

MALICIOUS

Office (OLE)

70.0 KB Created: 2006-09-28 17:06:00 Authoring application: Microsoft Office Word First seen: 2014-08-17

MD5: 7735e571d0450e2a31e97e4f8e0f66fa SHA-1: e2126ebc4910ea0308a150466f70534854ec201d SHA-256: 8d98155283c4d8373d2cf2c7b8a79302251a0ce76d227a8a2abdc2a244fc550e

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious due to the exploitation of CVE-2012-0158, a known vulnerability in Microsoft Office's MSComctlLib.Toolbar control. This exploit allows for arbitrary code execution when the document is opened. The presence of OLE slack anomalies further suggests potential obfuscation or malicious padding within the file structure.

Heuristics 3

MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856 high CVE likely CVE_2012_1856

MSCOMCTL.Toolbar — CVE-2012-0158 / CVE-2012-1856
ClamAV: Doc.Exploit.CVE_2012_0158-17 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2012_0158-17
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 71,680 bytes but its declared streams total only 16,640 bytes — 55,040 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.