Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0026d4422e0c6c69…

MALICIOUS

Office (OLE)

276.0 KB Created: 2019-08-30 09:14:50 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 3e7fb4e017efe35c7cc77c37533aadf4 SHA-1: 7d2071514555a2fc4d366137c52ab28e1ef72964 SHA-256: 0026d4422e0c6c69e0ea2635ff942d9c92046b3429a70b43241bac37574e2ee9
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded PE executable, indicating a likely attempt to deliver a second-stage payload. The presence of the embedded executable and the 'VirtualAlloc' API reference suggest the document is designed to drop and execute malware. While no scripts were directly extracted, the embedded executable is the primary indicator of malicious intent.

Heuristics 2

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00003219.exe embedded-pe Office MZ+PE at offset 0x3219 269799 bytes
SHA-256: 1b56201f35c7d161019188906b40258422ad2051ceef53a9eb65b24d7fbe035f
ole10native_00.bin ole-package OLE Ole10Native stream: MBD005CEEB8/Ole10Native 152905 bytes
SHA-256: b82e33e5348d80a77c4fe40bb534a80d1bce00367754818359343bb7622076e6