Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f3e0dd4bccdb237d…

MALICIOUS

Office (OLE)

34.2 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2012-06-28
MD5: 49999aa29c944e09c027a06b0cf96636 SHA-1: 05137e0bcb277396c95b2b106f7fe2c869a1e2c9 SHA-256: f3e0dd4bccdb237db1e762f9aba5cb327b1daa8d34f1ed5e6e86f6985541dd49
562 Risk Score

Heuristics 13

  • ClamAV: Win.Trojan.Riler-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Riler-20
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 77% of instructions — a sled or padding/filler run, not program logic).
  • Egg-hunter shellcode pattern high SC_EGG_HUNTER
    Egg-hunter shellcode pattern
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 90% of instructions — a sled or padding/filler run, not program logic).
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly hidden — these bytes score as data, not coherent x86 code (5/12 branch targets land on an instruction boundary (42% coherence)).
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x41 (A) bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 96% of instructions — a sled or padding/filler run, not program logic).
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 35,072 bytes but its declared streams total only 12,288 bytes — 22,784 bytes (65%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file contains raw shellcode-like resolver payload high OLE_RAW_SHELLCODE_PAYLOAD
    Malformed or legacy OLE file contains raw PEB/API-resolver shellcode bytes at the file level, including loader-walk instructions and a nearby payload marker. This indicates an exploit payload carrier but does not identify a specific parser CVE.
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x41 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 96% of instructions — a sled or padding/filler run, not program logic).
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005500.exe embedded-pe Office MZ+PE at offset 0x5500 13312 bytes
SHA-256: 8df2159d166e51501170f654a2a6a64d86629f488bf4efd6c1de535adda79347
Detection
ClamAV: Win.Trojan.Riler-20
Obfuscation or payload: likely
Carved artifact entropy is 7.47, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.