OLE2 a popular malware delivery mechanism?

OLE2 (Object Linking and Embedding v2) is a Microsoft container file format which can hold objects of various types in a similar fashion to that files on in a file system. Due to the complex nature of this document format many vulnerabilities in software which opens these files have been found (see CVE-2007-0913, CVE-2007-0870) and are being used by malware authors.

In recent weeks I’ve noticed an increase of exploited Word, Excel and Powerpoint files being dealt with by SophosLabs and decided to graph the results. The graph indicates the number of unique samples of OLE2 files being detected by either the Troj/Maldoc or Exp/1Table.

As shown by the graph there does appear to be rising trend of exploited files being used to deliver malware.


The reasons for this apparent favour toward exploited data files as malware delivery mechanisms has previously been discussed in Chris’s blog “Office Exploits and Friends“. Another reason utilizing exploited data files is that they are somewhat difficult for anti-virus products to scan due to several reasons:

  • they are difficult to parse for structure anomalies without flagging them as corrupt
  • the closed format and lack of detailed information on the file structure makes developing such parsers difficult
  • some vulnerabilities go undisclosed
  • full parsing of every document to look for anomalies is time consuming (especially for an anti-virus engine where efficient processing is essential)

Luckly, we at SophosLabs are always looking for new detection strategies to combat the latest threats and the current detections for exploited OLE2 files are only getting better and we hope to quell the rise before it ever becomes a problem.