Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a5dd80f2330f5b7e…

MALICIOUS

Office (OLE)

365.0 KB Created: 1997-04-05 07:33:32 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 3532e95e4e021e5b288ebf9556a8fb6c SHA-1: ad21bfb134689f8d47e176b8ff861187405e3f64 SHA-256: a5dd80f2330f5b7ebb043bd52b9cd21aa0e15d952dd22663b23a4680c45c2708
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an OLE document with significant slack space and empty streams, indicating potential obfuscation or malicious content. The embedded OLE object is also flagged as suspicious. The document body contains what appears to be garbled text, suggesting an attempt to obscure the true nature of the lure, which is likely to trick the user into interacting with the embedded object.

Heuristics 3

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 360,845 bytes but its declared streams total only 0 bytes — 360,845 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: MBD000316AD/Ole10Native 174084 bytes
SHA-256: bfee867a87394f45f92d9733b2758c3a30bef583dfe12d3159daa4a8ee08578b
embedded_office_off00003273.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x3273 360845 bytes
SHA-256: 62374dc1d00ed585900b40396dc618b7e2bd787ac5d9284f79ce7d3d301909cf

Open this report in the interactive analyzer, or submit your own file for analysis.