MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1559.001 Component Object Model Hijacking
The OLE document exhibits anomalies in its structure, including a large slack space and an EMF object within an EPRINT stream, suggesting malicious intent. Although VBA macros could not be extracted, the presence of embedded object references like 'Excel.Sheet.8' and 'PowerPoint.Slide.8' within the document body indicates an attempt to exploit OLE embedding mechanisms. The document body itself is a report about test file construction, likely a lure to encourage interaction with the embedded objects.
Heuristics 3
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYOLE file is 138,752 bytes but its declared streams total only 31,351 bytes — 107,401 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTEDolevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
Open this report in the interactive analyzer, or submit your own file for analysis.