Office (OLE) malware analysis — malicious · 4094a33b4bbb0d8f

MALICIOUS

Office (OLE)

74.0 KB Created: 2005-07-01 10:37:00 Authoring application: Microsoft Word 9.0 First seen: 2017-06-27

MD5: caed5705cd094959809815ba6542511f SHA-1: 709e931c4fe55c6418d81b7bd5f3e3c765a16db2 SHA-256: 4094a33b4bbb0d8ffc7f95dd9c72cf3e136433275c08f66efb67a549e67978bc

182 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The file is detected as a dropper by ClamAV, indicating it likely downloads and executes additional malware. Heuristics indicate the use of Windows API functions such as CreateProcess, LoadLibrary, and GetProcAddress, which are commonly used by droppers to load and run payloads. The document body discusses shell code, which could be a pretext for delivering malicious code.

Heuristics 5

ClamAV: Doc.Dropper.HexEncodedEXEHeader-9789587-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.HexEncodedEXEHeader-9789587-1
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.blackhat.com In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.