Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 2218902bc67a30f6…

MALICIOUS

Office (OLE) / .DOC

270.0 KB Created: 2009-12-11 11:47:44 Authoring application: Advanced Installer 12.3 build 64631
MD5: fc946f4cd0281baf8c004da19f712281 SHA-1: f32d735738eeed6a81d49e260b5e9568ee07aec9 SHA-256: 2218902bc67a30f600afada4a77540eae6e415634ad420d9dce315f8f1e45dea
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer T1059.005 Visual Basic

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, ShellExecute, and WScript, suggesting the document is designed to launch the embedded malware. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicates the document likely prompts the user to paste content into a command-line interface, facilitating execution of the embedded payload.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 In document text (OLE body)
    • http://t2.symcb.com0In document text (OLE body)
    • http://ts-ocsp.ws.symantec.com07In document text (OLE body)
    • http://tl.symcd.com0&In document text (OLE body)
    • http://www.advancedinstaller.com0In document text (OLE body)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
    • http://tl.symcb.com/tl.crl0In document text (OLE body)
    • https://www.thawte.com/cps0/In document text (OLE body)
    • https://www.thawte.com/repository0In document text (OLE body)
    • http://tl.symcb.com/tl.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00012c00.exe
a4a1805a3c2650b77711b7ee4882206fb72019bc60153c058dbf2b06291e0474		 embedded-pe Office MZ+PE at offset 0x12C00 199680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.