Office (OLE) / .DOC malware analysis — malicious · 12c83025fe53146b

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer

MD5: 1e52b11a97c9ec3699421def2b146149 SHA-1: e58134f2eedd4f0ce823686f01f7f522dd5b89c0 SHA-256: 12c83025fe53146bb5d55cd409b0a8ef7f949906b25a330d48f557c642990979

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the document is designed to drop and execute the embedded payload. The embedded executable is the primary indicator of malicious activity.

Heuristics 4

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00006000.exe` `af411f10050102204a331c2f7c88506cfba5a00fd758f8b224a4563fe0f964bd`	embedded-pe	Office MZ+PE at offset 0x6000	176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.