Office (OLE) / .DOC malware analysis — malicious · 4134aa6962ce37a4

MALICIOUS

Office (OLE) / .DOC

1.11 MB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer

MD5: ef4be631848738f8a19b9c83aedb2fe0 SHA-1: f8a546309e2cc86900654788c01a2344b4f6e4f3 SHA-256: 4134aa6962ce37a46a86a788a2b28d931ca6dec6281c82349ecabfdf434317da

122 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1137.001 DLL Side-Loading

The sample is a malicious Office document containing an embedded PE executable. Heuristic analysis detected NOP sleds and identified the embedded file as a PE executable. The presence of an embedded executable strongly suggests a dropper or downloader functionality, where the document serves as a container for malicious payload delivery.

Heuristics 4

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x41 bytes
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00006000.exe` `636b74df9b26f51ec33c81f648d5bfb6da7cc7092c59d9c4922e0a9f0d3c947c`	embedded-pe	Office MZ+PE at offset 0x6000	1134592 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.67, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.