Malicious Office (OLE) / .ZIP — malware analysis report

Static analysis result for SHA-256 4f0aa0de70d63b31…

MALICIOUS

Office (OLE) / .ZIP

2.20 MB Created: 2010-05-12 11:41:28 Authoring application: Windows Installer XML (3.0.5419.0)
MD5: 35865dfdf8bd962eed929458380c471a SHA-1: bacb42a69f26f03dc4f263aea2dc077dab804d58 SHA-256: 4f0aa0de70d63b31139e6abff599f8f992e5a47f15532bea662a2098c3dbfe4c
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1059.003 Windows Command Shell

The sample is a password-protected archive (SE_PASSWORD_ARCHIVE_LURE) containing a PE executable (OLE_EMBEDDED_EXE). Heuristics indicate the use of CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of the embedded payload. The document body lists files associated with a software installer, including 'AWOPR.exe', indicating a lure to trick the user into running the malicious executable. The presence of embedded URLs further supports the delivery of malicious content.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.usertrust.com1
    • https://secure.comodo.net/CPS0B
    • http://ocsp.comodoca.com0
    • http://www.elcomsoft.com0
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl0
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl04
    • http://www.elcomsoft.com/privacy.html
    • http://www.elcomsoft.com/privacy.html}}}\f0\fs16
    • http://www.elcomsoft.com/purchase/buy.php?product=awopr&ref=INSTALLERUninstallURLhttp://www.elcomsoft.com/uninstall.htmlARPCOMMENTSARPCONTACThttp://www.elcomsoft.com/help/edpr/rus/index.htmlARPPRODUCTICONARPHELPLINKhttp://www.elcomsoft.ruARPREADMEreadmeARPURLINFOABOUTARPURLUPDATEINFOARPHELPTELEPHONE+1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00087200.exe
a50148fc4c97535c5a2659e43fe433c9316a25fd839a3fd204e26f08f40e484f		 embedded-pe Office MZ+PE at offset 0x87200 1757696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.