Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 4a8fe568e3d0c580…

MALICIOUS

Office (OLE) / .DOC

372.5 KB
MD5: 0eba7c5dc09c931be3e1688047f3b5e1 SHA-1: 67466593530f84cf94f980d70412f34296cea786 SHA-256: 4a8fe568e3d0c580bfb0a4fcb8e12a4c6b93c0b2ed69ce17ca867637a1d7df89
420 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1204.002 Malicious File

This OLE document contains an embedded PE executable, identified by ClamAV as Xls.Dropper.Agent-7119305-0. Static analysis reveals numerous high-severity heuristic firings related to Windows API calls such as WinExec, CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, along with a suspicious cmd.exe invocation. These indicate the document is designed to load and execute the embedded malicious payload.

Heuristics 10

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Xls.Dropper.Agent-7119305-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7119305-0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 381,440 bytes but its declared streams total only 31,351 bytes — 350,089 bytes (92%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00012460.exe
29e7758a18b1a1f1b65a68c008da35be45fa750460546182b34c04b7b6966c70		 embedded-pe Office MZ+PE at offset 0x12460 306592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.