Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c2ea70a2dbf1f399…

MALICIOUS

Office (OLE) / .DOC

614.5 KB Created: 2014-01-22 05:24:00 Authoring application: Microsoft Office Word First seen: 2023-08-02
MD5: 9c6658a5db491a534047e9ed73bc08d1 SHA-1: bbf7b1be349aed32f658f5d41eb7905b8e91070e SHA-256: c2ea70a2dbf1f399b016426018a00f95104867f60a88dd9cae76be3862f7ea49
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1204.002 Malicious File: User Execution

The sample is a malicious Office document containing VBA macros and embedded OLE objects, indicating a likely phishing or social engineering attack. The document body presents a form for personal and employment details, masquerading as a job application. The presence of an unknown reputation URL suggests a potential command and control or credential harvesting endpoint.

Heuristics 5

  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 92,288 bytes but its declared streams total only 0 bytes — 92,288 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.manaco.lk
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.iec.ch
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/officeDocument/2006/cusS
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
51d85e8713bcc7dd50f0e6d1f974edd36dc9650ed5feab292fa28266e4f9cf44		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 449 bytes
embedded_office_off00083180.ole
87d0bff6d164d8a9a6b3d1347b97f2427127172434b4ff7d7e657c1c62bcde50		 embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x83180 92288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.