Office (OLE) malware analysis — malicious · 1c7bc03c2b711026

MALICIOUS

Office (OLE)

298.5 KB

MD5: 542941daf3864844d9cb345b77745cfa SHA-1: 80ce91a5f704cfcfe5e3b0dcd3cd35a8583bf27e SHA-256: 1c7bc03c2b711026ee51f3310b9b3940db6fd9efb4f744613f163c75688642b7

320 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OLE file containing an embedded PE executable. Heuristics indicate the use of API hashing and dynamic API resolution, common techniques for evading detection. The presence of CreateProcess and ShellExecute API references suggests the embedded executable is intended to be launched. The document body is heavily obfuscated and unreadable, but the embedded executable is the primary indicator of malicious intent.

Heuristics 8

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
PEB API-hash resolver high SC_API_HASH_RESOLVER

PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000aa74.exe` `b38c74026036e0be0822ee99d5fc0457319b82b0be86d0752f1a280bff9558ef`	embedded-pe	Office MZ+PE at offset 0xAA74	262028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.