Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e12c61fc8d80c2f…

MALICIOUS

Office (OLE)

931.0 KB Created: 2018-07-25 10:24:57 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 6bfff091c62f8c3a48f92ef3cfecb56c SHA-1: 0dcc1d44323534864e316d37d546469ae3d96797 SHA-256: 3e12c61fc8d80c2f742cd7b684b2397ba04257dfeb494e49cef8ec5184a7e663
542 Risk Score

Malware Insights

MITRE ATT&CK
T1055 Process Injection T1105 Ingress Tool Transfer

The sample is an Office document that contains an embedded PE executable. Critical heuristics indicate the use of Windows API functions such as CreateProcess, VirtualAlloc, VirtualProtect, WriteProcessMemory, CreateRemoteThread, LoadLibrary, and GetProcAddress, which are commonly used for process injection and execution of payloads. The embedded executable and the reference to Mimikatz in a URL suggest the file is designed to drop and execute a credential-stealing tool.

Heuristics 12

  • ClamAV: Win.Tool.Mimikatz-9862700-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Tool.Mimikatz-9862700-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0008A7F6  40                inc eax
0008A7F7  40                inc eax
0008A7F8  40                inc eax
0008A7F9  40                inc eax
0008A7FA  40                inc eax
0008A7FB  40                inc eax
0008A7FC  40                inc eax
0008A7FD  40                inc eax
0008A7FE  40                inc eax
0008A7FF  40                inc eax
0008A800  40                inc eax
0008A801  40                inc eax
0008A802  40                inc eax
0008A803  40                inc eax
0008A804  40                inc eax
0008A805  40                inc eax
0008A806  40                inc eax
0008A807  40                inc eax
0008A808  40                inc eax
0008A809  40                inc eax
0008A80A  40                inc eax
0008A80B  40                inc eax
0008A80C  40                inc eax
0008A80D  40                inc eax
0008A80E  40                inc eax
0008A80F  40                inc eax
0008A810  40                inc eax
0008A811  40                inc eax
0008A812  40                inc eax
0008A813  40                inc eax
0008A814  40                inc eax
0008A815  40                inc eax
0008A816  40                inc eax
0008A817  40                inc eax
0008A818  40                inc eax
0008A819  40                inc eax
0008A81A  40                inc eax
0008A81B  40                inc eax
0008A81C  40                inc eax
0008A81D  40                inc eax
0008A81E  40                inc eax
0008A81F  40                inc eax
0008A820  40                inc eax
0008A821  40                inc eax
0008A822  40                inc eax
0008A823  40                inc eax
0008A824  40                inc eax
0008A825  40                inc eax
0008A826  40                inc eax
0008A827  40                inc eax
0008A828  40                inc eax
0008A829  40                inc eax
0008A82A  40                inc eax
0008A82B  40                inc eax
0008A82C  40                inc eax
0008A82D  40                inc eax
0008A82E  40                inc eax
0008A82F  40                inc eax
0008A830  40                inc eax
0008A831  40                inc eax
0008A832  40                inc eax
0008A833  40                inc eax
0008A834  40                inc eax
0008A835  40                inc eax
0008A836  40                inc eax
0008A837  40                inc eax
0008A838  40                inc eax
0008A839  40                inc eax
0008A83A  40                inc eax
0008A83B  40                inc eax
0008A83C  40                inc eax
0008A83D  40                inc eax
0008A83E  40                inc eax
0008A83F  40                inc eax
0008A840  40                inc eax
0008A841  40                inc eax
0008A842  40                inc eax
0008A843  40                inc eax
0008A844  40                inc eax
0008A845  40                inc eax
0008A846  40                inc eax
0008A847  40                inc eax
0008A848  40                inc eax
0008A849  40                inc eax
0008A84A  40                inc eax
0008A84B  40                inc eax
0008A84C  40                inc eax
0008A84D  40                inc eax
0008A84E  40                inc eax
0008A84F  40                inc eax
0008A850  40                inc eax
0008A851  40                inc eax
0008A852  40                inc eax
0008A853  40                inc eax
0008A854  40                inc eax
0008A855  40                inc eax
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://subca.ocsp-certum.com01 In document text (OLE body)
    • http://cscasha2.ocsp-certum.com04In document text (OLE body)
    • http://blog.gentilkiwi.com/mimikatzIn document text (OLE body)
    • http://crl.certum.pl/ctnca.crl0kIn document text (OLE body)
    • http://repository.certum.pl/ctnca.cer09In document text (OLE body)
    • http://www.certum.pl/CPS0In document text (OLE body)
    • http://crl.certum.pl/cscasha2.crl0qIn document text (OLE body)
    • http://repository.certum.pl/cscasha2.cer0In document text (OLE body)
    • https://www.certum.pl/CPS0In document text (OLE body)
    • http://repository.certum.pl/ctnca.cer0@In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00002876.exe embedded-pe Office MZ+PE at offset 0x2876 942986 bytes
SHA-256: b82bb26706efd5f08d7b3903a9105eb17e86f77dc95077ea07543be7c347f943
Detection
ClamAV: Win.Tool.Mimikatz-9862700-0
Obfuscation or payload: unlikely
ole10native_00.bin ole-package OLE Ole10Native stream: MBD04064FC2/Ole10Native 909796 bytes
SHA-256: 20608ed97ab9411175452de3925d6e54902a7c7d008b4d4ed61f0840a5860698
Detection
ClamAV: Win.Tool.Mimikatz-9862700-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.