Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 3238d0ae6b23eb2c…

MALICIOUS

Office (OLE) / .DOC

48.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 925f6873378cc6863f94800d7612e326 SHA-1: 66ab541d012553191d65cde6f7b4c46cd71ae56d SHA-256: 3238d0ae6b23eb2cd00de4dcef4648cdd804bb37ace74d90e941b4726e0306e9
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The OLE document exhibits a significant slack anomaly and contains an embedded PE executable. The document body contains .NET-related strings and assembly manifest information, suggesting it may be a loader for a .NET application. The embedded executable is the primary indicator of malicious intent, likely serving as a second-stage payload. The presence of the embedded executable strongly suggests a delivery mechanism for malware.

Heuristics 3

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 49,152 bytes but its declared streams total only 28,198 bytes — 20,954 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.digicert.com0O
    • http://ocsp.digicert.com0C
    • http://www.digicert.com/CPS0
    • http://crl3.digicert.com/sha2-assured-ts.crl02�0�.�,http://crl4.digicert.com/sha2-assured-ts.crl0��
    • http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    • http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0��
    • http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:�8�6�4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    • https://www.digicert.com/CPS0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
3ead49958df15fbc1203d28340fa5248f666a93b32bc4c6a77556a387cf2cec7		 embedded-pe Office MZ+PE at offset 0x6000 24576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.