Office (OLE) malware analysis — malicious · 9a1e56335e0b2af4

MALICIOUS

Office (OLE)

41.5 KB Created: 2000-07-26 08:31:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-29

MD5: a11ce48107a84877ade01b2915dd8720 SHA-1: 1af0353785d94ce90daaf8e5de88e30e3763f91f SHA-256: 9a1e56335e0b2af456c49ce4aa5ef40c49e9a35c249983fce95484fd09bf53df

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The OLE document contains VBA p-code that attempts to auto-execute a macro named 'Document_Open' using 'CreateObject'. Although the VBA project itself contains no executable statements, the presence of the auto-execution trigger and the OLE slack anomaly suggest a deliberately obfuscated or incomplete malicious macro. The file is classified as malicious with a high risk score.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 42,496 bytes but its declared streams total only 22,793 bytes — 19,703 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA project contains no executable statements low 1 related finding OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Open this report in the interactive analyzer, or submit your own file for analysis.