Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2691be2e02c0d105…

MALICIOUS

Office (OLE)

528.0 KB
MD5: 1775a41ee8b6b973ebdfa40d69a38f5b SHA-1: bbc234a8b54b6f871c75e88c22a4a2cf579b22aa SHA-256: 2691be2e02c0d105dbb1fc22a64dcb3f0fe55ef3494f69913090eb34df209f5c
322 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an OLE document containing an embedded PE executable. Heuristics indicate the use of API hashing and dynamic loading of functions like CreateProcess and ShellExecute, common in malware. The document body contains garbled text, suggesting it's not intended for direct user interaction but rather to mask the malicious payload. The primary attack vector is the embedded executable, which is likely a second-stage downloader or payload.

Heuristics 9

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000b27a.exe
d5f78cf3490cb0b96d245af95e06f2af6635730881e63d349f2d011f2a3c0d4a		 embedded-pe Office MZ+PE at offset 0xB27A 494982 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.