MALICIOUS
362
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The file is an Office document containing an embedded OLE package that drops a PE executable. The package is flagged as a download-and-execute script, indicating it likely fetches and runs a second-stage payload. The presence of ShellExecute and LoadLibrary API references further supports the execution of external code.
Heuristics 9
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPERThe OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
NOP sled detected high SC_NOP_SLEDFound 20+ consecutive 0x90 bytes
Disassembly
Attempted x86 opcode disassembly00003B91 90 nop 00003B92 90 nop 00003B93 90 nop 00003B94 90 nop 00003B95 90 nop 00003B96 90 nop 00003B97 90 nop 00003B98 90 nop 00003B99 90 nop 00003B9A 90 nop 00003B9B 90 nop 00003B9C 90 nop 00003B9D 90 nop 00003B9E 90 nop 00003B9F 90 nop 00003BA0 90 nop 00003BA1 90 nop 00003BA2 90 nop 00003BA3 90 nop 00003BA4 90 nop 00003BA5 90 nop 00003BA6 48 dec eax 00003BA7 ff25d90e0600 jmp dword ptr [0x60ed9] 00003BAD 90 nop 00003BAE 90 nop 00003BAF 90 nop 00003BB0 90 nop 00003BB1 90 nop 00003BB2 90 nop 00003BB3 90 nop 00003BB4 90 nop 00003BB5 90 nop 00003BB6 48 dec eax 00003BB7 83ec28 sub esp, 0x28 00003BBA 8d4101 lea eax, [ecx + 1] 00003BBD 3bc1 cmp eax, ecx 00003BBF 0f8241930300 jb 0x3cf06 00003BC5 48 dec eax 00003BC6 c1e002 shl eax, 2 00003BC9 b9ffffffff mov ecx, 0xffffffff 00003BCE 48 dec eax 00003BCF 3bc1 cmp eax, ecx 00003BD1 0f872f930300 ja 0x3cf06 00003BD7 8d480c lea ecx, [eax + 0xc] 00003BDA 3bc8 cmp ecx, eax 00003BDC 0f8224930300 jb 0x3cf06 00003BE2 8bd1 mov edx, ecx 00003BE4 b940000000 mov ecx, 0x40 00003BE9 ff15df060600 call dword ptr [0x606df] 00003BEF 48 dec eax 00003BF0 85 .byte 0x85
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/SMI/2005/WindowsSettings Embedded OLE package script
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00002866.exe |
embedded-pe | Office MZ+PE at offset 0x2866 | 939930 bytes |
SHA-256: 0b25e92498efff6f409b39fda5803f4cc22a450b2128adf1368db7464373a7ae |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_SHELLEXEC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryW, LoadLibraryExA, GetProcAddress
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD000A5A77/Ole10Native | 918804 bytes |
SHA-256: cd5b7f5a389012f4a6982c55d8e1688d16d223dd95c6c3a82b14d16eff38ab05 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_SHELLEXEC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryW, LoadLibraryExA, GetProcAddress
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.