Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c3e0c14cd901265d…

MALICIOUS

Office (OLE)

34.5 KB Created: 1997-03-21 21:04:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 91a08ec478c1f183d23b2e365bb97be0 SHA-1: 0e83e1a38b59865d0826449331176d367e7d8288 SHA-256: c3e0c14cd901265dd0468b025edef94423d4432adabe0a85b497a9cd105b1ee2
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro virus markers and exhibits OLE slack anomalies, indicating a potentially malicious structure. The document body presents links to external websites, suggesting an attempt to redirect the user to malicious or phishing sites. The ClamAV detection as Win.Trojan.Dark-7 further supports the malicious classification.

Heuristics 6

  • ClamAV: Win.Trojan.Dark-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dark-7
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 35,328 bytes but its declared streams total only 18,672 bytes — 16,656 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.knowledgies.com/about.htm In document text (OLE body)
    • http://www.knowledgies.com/speak.htmIn document text (OLE body)
    • http://www.knowledgies.com/book1.htmIn document text (OLE body)
    • http://www.knowledgies.com/bk1_app.htmIn document text (OLE body)
    • http://www.pcweek.com/opinion/0210/10isigh.htmlIn document text (OLE body)
    • http://www.innergy.com/reviews/mhills1.htmlIn document text (OLE body)
    • http://www.boardwatch.com/mag/97/JAN/BWM23.HTMIn document text (OLE body)
    • http://www.amazon.com/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_off0000473c.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x473C 17092 bytes
SHA-256: 896fbe03c95158a4106bd80657fe34862c64c2dbac003d2a33969ff71cda87b3

Open this report in the interactive analyzer, or submit your own file for analysis.