Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 287896b96d6840bc…

MALICIOUS

Office (OLE)

665.0 KB Created: 2009-11-05 08:00:19 Authoring application: Microsoft Excel First seen: 2012-06-28
MD5: 151f8319410aa0794a346542d2d3c8f4 SHA-1: 18d69073643fe0aa9c66a8fcae29dbb3b870a99e SHA-256: 287896b96d6840bce42b06a99605ce834b3c958d770104f2a5b0392834becf0c
482 Risk Score

Heuristics 11

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.autohotkey.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0006f000.exe embedded-pe Office MZ+PE at offset 0x6F000 226304 bytes
SHA-256: e7a57fd2d6db69765cf240c74bee5e30b5b4d1221c97cb65eb3c5350e575900b
Detection
ClamAV: Win.Spyware.83214-2
Obfuscation or payload: unlikely