Office (OLE) / .MOD malware analysis — malicious · 055d1c697385d92e

MALICIOUS

Office (OLE) / .MOD

465.5 KB

MD5: 2d64ffd1b92681941f2729356a321966 SHA-1: 1336b12c6a914bfd32fc70564fa087d969360870 SHA-256: 055d1c697385d92e32006bc9fd0d7646c37f2bad81f60ccb94b9c41b56ddcbfe

160 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing an embedded PE executable. The VBA code references Windows APIs such as VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used by malware loaders to execute payloads. The embedded executable is the primary indicator of malicious intent, likely serving as the second-stage payload.

Heuristics 4

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000083c.exe` `a55ddc7d680c26e2a7a053c8b2fb04e44be8e4b7c5556e50fd14d2599ae15e98`	embedded-pe	Office MZ+PE at offset 0x83C	474564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.