Malware Insights
The file is identified as a malicious Microsoft Excel document containing an embedded PE executable. Heuristics indicate the use of APIs like CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is launched and potentially injected into another process. The ClamAV detection name 'Win.Tool.Mimikatz-9862700-0' strongly suggests the embedded payload is Mimikatz, a tool used for credential harvesting. The URL 'http://blog.gentilkiwi.com/mimikatz' further supports this, as it points to Mimikatz information.
Heuristics 12
-
ClamAV: Win.Tool.Mimikatz-9862700-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Tool.Mimikatz-9862700-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytesDisassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 70% of instructions — a sled or padding/filler run, not program logic).
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://subca.ocsp-certum.com01 In document text (OLE body)
- http://cscasha2.ocsp-certum.com04In document text (OLE body)
- http://blog.gentilkiwi.com/mimikatzIn document text (OLE body)
- http://crl.certum.pl/ctnca.crl0kIn document text (OLE body)
- http://repository.certum.pl/ctnca.cer09In document text (OLE body)
- http://www.certum.pl/CPS0In document text (OLE body)
- http://crl.certum.pl/cscasha2.crl0qIn document text (OLE body)
- http://repository.certum.pl/cscasha2.cer0In document text (OLE body)
- https://www.certum.pl/CPS0In document text (OLE body)
- http://repository.certum.pl/ctnca.cer0@In document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00002876.exe |
embedded-pe | Office MZ+PE at offset 0x2876 | 942474 bytes |
SHA-256: 948e1ae62f348eec439eabe60155d308ea85b1f6103186c4e93b691502ddd565 |
|||
|
Detection
ClamAV:
Win.Tool.Mimikatz-9862700-0
Obfuscation or payload:
unlikely
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD04064FC2/Ole10Native | 909796 bytes |
SHA-256: 20608ed97ab9411175452de3925d6e54902a7c7d008b4d4ed61f0840a5860698 |
|||
|
Detection
ClamAV:
Win.Tool.Mimikatz-9862700-0
Obfuscation or payload:
unlikely
|
|||
ole10native_00_mimikatz.exe |
ole-package-payload | OLE Ole10Native payload: MBD04064FC2/Ole10Native; display_name=mimikatz.exe; full_path=C:\Users\omriko\AppData\Local\Temp\mimikatz.exe; temp_path=; def_file= | 909472 bytes |
SHA-256: 4585b220fd13925aff301e9ac234ea6edbd25848d437d2a107bc0173e6f9a0b9 |
|||
|
Detection
ClamAV:
Win.Tool.Mimikatz-9862700-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.