Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f35ab4b10069ccf6…

MALICIOUS

Office (OLE)

82.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2026-05-11
MD5: b3483f9e9222a97d2bece44a9260fdf1 SHA-1: 7fef7267f931885787f7c663ee5480aa00bacc58 SHA-256: f35ab4b10069ccf69abfa12cb14e650927d3451aa27a963db04e4409e2d55749
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded malicious content. Although VBA macros could not be extracted due to an unsupported format, the document body presents itself as an official application form for various permits, a common lure for phishing or information harvesting. The embedded URLs, while appearing benign, are part of the document's content, suggesting a social engineering pretext. The lack of extractable scripts and the benign nature of the URLs prevent a higher confidence assessment.

Heuristics 3

  • Excel Index Array exploit — CVE-2008-3005 critical CVE likely CVE_2008_3005
    Legacy Excel workbook has the CVE-2008-3005 exploit shape: a compact BIFF8 FORMAT-index cluster paired with a normal XF table and a large unallocated OLE slack region used to stage the payload. The FORMAT pattern alone is not sufficient, so the rule requires the OLE slack payload-hiding context to keep false positives low.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 83,968 bytes but its declared streams total only 21,308 bytes — 62,660 bytes (75%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wicker.senate.gov/public/index.cfm?fuseaction=contact.emailsenatorwicker% In document text (OLE body)
    • http://inhofe.senate.gov/contactus.htmIn document text (OLE body)
    • http://gillibrand.senate.gov/contactIn document text (OLE body)
    • http://kerry.senate.gov/v3/contact/email.htmlIn document text (OLE body)
    • http://boxer.senate.gov/contact/webform.htmlIn document text (OLE body)
    • http://feingold.senate.gov/contact_opinion.html$In document text (OLE body)
    • http://dodd.senate.gov/webmailIn document text (OLE body)
    • http://webb.senate.gov/contactIn document text (OLE body)
    • http://bradsherman.house.gov/sherman/contactIn document text (OLE body)
    • http://www.house.gov/writerepIn document text (OLE body)