Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 412519de5b34760a…

MALICIOUS

Office (OLE) / .DOC

64.0 KB Created: 2009-08-13 12:16:00 Authoring application: Microsoft Word 10.0
MD5: a63dc133ac80313b59b698ae7be8c50b SHA-1: bb084dd4e8b7f64aa8a465b644788fe4650232ee SHA-256: 412519de5b34760aaf49bd24a10f1d1934467494a63ee68e7de7116a2ea46be5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is a malicious OLE document containing an embedded PE executable, as indicated by ClamAV detections. The document body includes numerous URLs that appear to be registration or login pages for various forums and websites, potentially serving as lures. The embedded executable is the primary payload, likely executed upon user interaction or by the document's own mechanisms.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.5889044-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.5889044-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bryk.ru/6938-ams-enterprise-2.72-9.61-mb.html
    • http://bryk.ru/6938-ams-enterprise-2.72-9.61-mb.htmlЛогин
    • http://www.crack-forum.ru/showthread.php?t=9745
    • http://www.crack-forum.ru/showthread.php?t=9745Логин
    • http://towsoft.net/index.php?do=register&doaction=validating&id=RG1pdHJpeVZTfHxpdGMta296ZXJvZy1jQHlhbmRleC5ydXx8ODQxMDllOThjMTI5NDQwNmM5OTNjMjdhZjFlYjRiYTd8fDZhMTFkMjBhMjI3MWQ3ZDk4NWI5YTJkMTNhYzJiMzQ3Администрация
    • http://towsoft.net/
    • http://streamzone.ru/tracker/signup.php?type=register&id=156892&hash=2e5dd41d5a092eb573063253cdb4ea86Registration
    • http://crimea-board.net/index.php.Для
    • http://crimea-board.net/index.php?act=Reg&CODE=03&uid=23854&aid=2585c32f54d45e66e9525bc9bbd2e98c---------------------------------------к
    • http://crimea-board.net/index.php
    • http://crimea-board.net/index.phpУспешная

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000e000.exe
8fcc22c368a9c875e5448b42e3a06c05d0a6e27c5a873a9a9825c6e8502165ce		 embedded-pe Office MZ+PE at offset 0xE000 8192 bytes
Detection
ClamAV: Win.Trojan.5889044-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.