Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1e65952ae34c70c0…

MALICIOUS

Office (OLE) / .DOC

70.0 KB Created: 2004-04-17 23:56:00 Authoring application: Microsoft Word 9.0
MD5: cb54ce5baad62f3a69a0d19b5051458a SHA-1: d9104890937739cc4d56bb194b0072aef61fd8bd SHA-256: 1e65952ae34c70c04cd33c1154c49e1358ed5624b7abba99553c1fbac98ca4fa
408 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress, suggesting the document is designed to drop and execute the embedded payload. The XOR-encoded strings and the large slack space are common obfuscation techniques. The embedded executable is the primary IOC.

Heuristics 9

  • XOR-encoded strings (key 0x94) critical SC_XOR_ENCODED
    Found 5 Windows library/API name(s) XOR-encoded with single-byte key 0x94: 'kernel32.dll', 'LoadLibraryA', 'GetProcAddress', 'ExitProcess', 'CreateFileA'
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Generic-42 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Generic-42
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 71,680 bytes but its declared streams total only 16,523 bytes — 55,157 bytes (77%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
45a4b3651762a7c760540d16489d504e5ad9462cf46675ae9168748a05b0f967		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 357 bytes
embedded_office_00005800.exe
eb89e84cf8f1fc5f1a3d7cefa2883421832e1511bf93e4816283519c6cb1e3a0		 embedded-pe Office MZ+PE at offset 0x5800 49152 bytes
Detection
ClamAV: Win.Trojan.Generic-42
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.