Office (OLE) malware analysis — malicious · a0d34f31a4c6c7aa

MALICIOUS

Office (OLE)

437.4 KB Created: 2010-12-17 16:45:28 Authoring application: Microsoft Excel First seen: 2015-09-15

MD5: 0b6e952ff125befcfbeb8c5d2eb97c10 SHA-1: 45b47fbc5cd36e2a60b2382ea71d1db6a1de12ed SHA-256: a0d34f31a4c6c7aaa8e6303fee1caecb1429d568b09d6cbdf68704290cb284e1

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical ClamAV detection 'Doc.Dropper.HexEncodedEXEHeader-9789587-1' strongly indicates the file's purpose is to drop and execute a malicious payload. The 'SC_STR_WSCRIPT' heuristic suggests the use of Windows Script Host, likely to facilitate the execution of the dropped content. The large slack space in the OLE structure is also characteristic of dropper malware.

Heuristics 3

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 447,901 bytes but its declared streams total only 22,037 bytes — 425,864 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.