Office (OLE) / .DOC malware analysis — malicious · 2ed8448a833d5bbe

MALICIOUS

Office (OLE) / .DOC

2.82 MB Created: 2018-08-09 11:48:42 Authoring application: Windows Installer XML Toolset (3.11.1.2318)

MD5: b47eb604ab96f02380f64b553199a981 SHA-1: c97521aecd0d08a4827b844ab42bcb02d96ecb35 SHA-256: 2ed8448a833d5bbe72e667a4cb311a88f94143aa77c55fbdbd36ee235e2d9423

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer T1055.012 Process Hollowing T1055.001 Process Injection

The file exhibits high-confidence heuristics indicating the use of Windows API calls such as CreateProcess, ShellExecute, LoadLibrary, and GetProcAddress, suggesting it is designed to execute external code. ClamAV detection as Archive.Trojan.Filetour-6861458-0 further supports its malicious nature. The lack of a document body or script content prevents a more specific determination of the attack pattern, but the API calls strongly imply a downloader or dropper functionality.

Heuristics 6

ClamAV: Archive.Trojan.Filetour-6861458-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Archive.Trojan.Filetour-6861458-0
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Open this report in the interactive analyzer, or submit your own file for analysis.