Office (OLE) malware analysis — malicious · e3ff1ba81afd073d

MALICIOUS

Office (OLE)

332.0 KB First seen: 2015-09-24

MD5: 5089adb06237e1f6e8fbe6c956e54ef0 SHA-1: 8aeb082acd864a4fabce0ee3d9721b1a1a46f916 SHA-256: e3ff1ba81afd073d82ac03b9ca3f1d658b66ea5d1d008bda97bee3f3e69fbc5b

88 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file exhibits characteristics of an OLE document with a large slack space and an appended executable payload, indicating it likely serves as a container for malicious code. Although the VBA project is small and contains no executable statements, the presence of appended payload bytes strongly suggests a secondary stage is present. The file's structure and heuristic firings point towards a malicious document designed to deliver an unknown payload.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 339,968 bytes but its declared streams total only 117,214 bytes — 222,754 bytes (66%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD

OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 671 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	671 bytes
SHA-256: `11993efa3cba2fc6c51e24c164f8f6ee10667f9dc6a11024b0790cb1a63a4c71`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Control = "ListView2, 1, 1, MSComctlLib, ListView" Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

SHA-256: 11993efa3cba2fc6c51e24c164f8f6ee10667f9dc6a11024b0790cb1a63a4c71

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "ListView2, 1, 1, MSComctlLib, ListView"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.