Win.Tool.Mimikatz-9862700-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 19c1ef916e24a802…

MALICIOUS

Office (OLE)

930.5 KB Created: 2018-07-25 10:24:57 Authoring application: Microsoft Excel First seen: 2018-11-13
MD5: 8a0abaa811bd71ddee96c18c575cc73d SHA-1: b50ff374a189d563eaa3ae01af06d46b9b8f36ab SHA-256: 19c1ef916e24a802f6a61949fa5133d214481b6a07a7fef66252d56701d82756
542 Risk Score

Malware Insights

Win.Tool.Mimikatz-9862700-0 · confidence 95%

MITRE ATT&CK
T1105 Ingress Tool Transfer T1071.001 Web Protocols T1055.012 Process Injection

The file is identified as a malicious Microsoft Excel document containing an embedded PE executable. Heuristics indicate the use of APIs like CreateProcess, WriteProcessMemory, and CreateRemoteThread, suggesting the embedded executable is launched and potentially injected into another process. The ClamAV detection name 'Win.Tool.Mimikatz-9862700-0' strongly suggests the embedded payload is Mimikatz, a tool used for credential harvesting. The URL 'http://blog.gentilkiwi.com/mimikatz' further supports this, as it points to Mimikatz information.

Heuristics 12

  • ClamAV: Win.Tool.Mimikatz-9862700-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Tool.Mimikatz-9862700-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'inc' is 70% of instructions — a sled or padding/filler run, not program logic).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://subca.ocsp-certum.com01 In document text (OLE body)
    • http://cscasha2.ocsp-certum.com04In document text (OLE body)
    • http://blog.gentilkiwi.com/mimikatzIn document text (OLE body)
    • http://crl.certum.pl/ctnca.crl0kIn document text (OLE body)
    • http://repository.certum.pl/ctnca.cer09In document text (OLE body)
    • http://www.certum.pl/CPS0In document text (OLE body)
    • http://crl.certum.pl/cscasha2.crl0qIn document text (OLE body)
    • http://repository.certum.pl/cscasha2.cer0In document text (OLE body)
    • https://www.certum.pl/CPS0In document text (OLE body)
    • http://repository.certum.pl/ctnca.cer0@In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002876.exe embedded-pe Office MZ+PE at offset 0x2876 942474 bytes
SHA-256: 948e1ae62f348eec439eabe60155d308ea85b1f6103186c4e93b691502ddd565
Detection
ClamAV: Win.Tool.Mimikatz-9862700-0
Obfuscation or payload: unlikely
ole10native_00.bin ole-package OLE Ole10Native stream: MBD04064FC2/Ole10Native 909796 bytes
SHA-256: 20608ed97ab9411175452de3925d6e54902a7c7d008b4d4ed61f0840a5860698
Detection
ClamAV: Win.Tool.Mimikatz-9862700-0
Obfuscation or payload: unlikely
ole10native_00_mimikatz.exe ole-package-payload OLE Ole10Native payload: MBD04064FC2/Ole10Native; display_name=mimikatz.exe; full_path=C:\Users\omriko\AppData\Local\Temp\mimikatz.exe; temp_path=; def_file= 909472 bytes
SHA-256: 4585b220fd13925aff301e9ac234ea6edbd25848d437d2a107bc0173e6f9a0b9
Detection
ClamAV: Win.Tool.Mimikatz-9862700-0
Obfuscation or payload: unlikely