Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0df5fa04afced1f9…

MALICIOUS

Office (OLE)

29.0 KB Created: 2006-04-27 01:34:00 Authoring application: Microsoft Office Word First seen: 2012-06-14
MD5: ad96d6bb219d1eaaa90154ef0b50cccb SHA-1: 554ea542dc987160d061490873e94153e4bdd107 SHA-256: 0df5fa04afced1f960385ee066f9d9616e00ba78ed250d47dfeae9c1a4a12fa8
302 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The sample is a malicious Office document containing an embedded PE executable. Heuristics indicate the use of ShellExecute, URLDownloadToFile, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread APIs, suggesting the document attempts to download and execute a secondary payload. The embedded executable and the URL used for downloading are key indicators of this malicious behavior.

Heuristics 7

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.crazy-japanese.com/g/3546jk.jpg In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006800.exe embedded-pe Office MZ+PE at offset 0x6800 3072 bytes
SHA-256: 1fb9eb8a0df0f5915a5f45c0ab83cf7f8de27a56874a4e94f830aab2e85a2e3e