Office (OLE) / .DOC malware analysis — malicious · 393b0d0d995e75f7

MALICIOUS

Office (OLE) / .DOC

876.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer

MD5: d21bf8f637917ab225fe53b4b4c24629 SHA-1: d86eba8ffae01832661bc9e939cbc4d7b59dccd1 SHA-256: 393b0d0d995e75f72e9ce0be7bc26313e9a712cced925a0e9ad69d799025abfa

300 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1059.003 Windows Command Shell

The sample is an Office document containing an embedded PE executable. Heuristics indicate the use of Windows API functions such as CreateProcess, ShellExecute, VirtualAlloc, WriteProcessMemory, LoadLibrary, and GetProcAddress, which are commonly used by malware to execute payloads or inject code. The presence of an embedded executable strongly suggests a downloader or dropper functionality.

Heuristics 7

Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00006000.exe` `7d148ccc75d5b2879d9e0e911cdb15dd7ab171bd787731ed250b3c1765a99c65`	embedded-pe	Office MZ+PE at offset 0x6000	872448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.