Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ddd7332df0e5121e…

MALICIOUS

Office (OLE)

164.0 KB Created: 2007-12-27 19:47:21 Authoring application: Microsoft Excel First seen: 2017-10-28
MD5: cd5ebebb9e38ca7536c22f1f936b5711 SHA-1: 357c00a045a5fe16742ef558f03d2484cc11f18f SHA-256: ddd7332df0e5121ec3dc799bfbffb23a397fe3ae20087b752f559c4d7340c372
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is an Excel document with a significant amount of slack space, indicating potential obfuscation or padding. Crucially, it contains an embedded PE executable. This strongly suggests the document is a lure designed to trick a user into opening it, thereby triggering the execution of the embedded malware. The document body itself appears to be tabular data, likely a decoy.

Heuristics 2

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 167,936 bytes but its declared streams total only 30,932 bytes — 137,004 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00008000.exe embedded-pe Office MZ+PE at offset 0x8000 135168 bytes
SHA-256: 71db24941ec08df4f78593f9f5d702598e46d5dcc1404aff4200c17c6351b0d8

Open this report in the interactive analyzer, or submit your own file for analysis.