Office (OLE) malware analysis — malicious · cdd085e6fe703296

MALICIOUS

Office (OLE)

22.0 KB Created: 1996-12-01 11:40:00 Authoring application: Microsoft Word 6.0 First seen: 2012-06-14

MD5: 924bc38998093c79723ce95a222729d5 SHA-1: 0629cb90755ed825616a03b039f82dc207ec827b SHA-256: cdd085e6fe703296501b2b0548e460c0746261f59ef33643f8ca532e0e8557b9

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Win.Trojan.TWNO-3. Static analysis revealed a legacy WordBasic AUTOOPEN macro, which is a common indicator for macro-based malware. The embedded OLE document also shows suspicious static findings, suggesting it may contain further malicious content. The presence of AUTOOPEN indicates an attempt to automatically execute code upon opening.

Heuristics 5

ClamAV: Win.Trojan.TWNO-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.TWNO-3
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE

A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 18,404 bytes but its declared streams total only 0 bytes — 18,404 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS

The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_off0000101c.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x101C	18404 bytes
SHA-256: `014419893d87498b93ede92a33d218c360bf72c75019fae463cafcec4c699d87`
Detection ClamAV: Win.Trojan.TWNO-3 Obfuscation or payload: unlikely
`embedded_office_off0000301e.ole`	embedded-office	Embedded OLE/CFB Office body inside ole container at offset 0x301E	10210 bytes
SHA-256: `63b81bca6de617c0f13c55db406fab448dba80adf63efa950642b6a31aa91a41`
Detection ClamAV: Win.Trojan.TWNO-3 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.