Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 556ed1719ccb9419…

MALICIOUS

Office (OLE) / .DOC

999.0 KB Created: 2009-12-11 11:47:44 Authoring application: Advanced Installer 15.9 build daae28bc
MD5: 0a43274c39e4906a2c8005f7cf33886c SHA-1: cdfb4e48d5a6c7299bb78d309fac8662918520d6 SHA-256: 556ed1719ccb9419b7cefa305e5b35abebf582c962cfa564fa813461ec9aa2ad
260 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is a Microsoft Office document containing an embedded Portable Executable (PE) file. Heuristics indicate the use of APIs like CreateProcess and ShellExecute, suggesting an attempt to execute the embedded file. The presence of an embedded PE executable is the primary indicator of malicious intent, likely serving as a dropper for further malware.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.winimage.com/zLibDll
    • http://s.symcd.com06
    • http://ts-ocsp.ws.symantec.com0
    • https://senac3.s3.us-east-2.amazonaws.com/MiniGame.zipPROMPTROLLBACKCOSTPAppsShutdownOptionAllButtonText_RepairRe&pararProductLanguage1046AiPreferFastOemProductVersion1.0.0DialogBitmapdialog{9D9373A7-54DD-48EF-B2A1-FA35A8B8EC93}ButtonText_OKOKErrorDialogErrorDlgEnableUserControlButtonText_Back
    • https://www.advancedinstaller.com
    • https://d.symcb.com/cps0%
    • https://d.symcb.com/rpa0
    • http://s.symcb.com/universal-root.crl0
    • https://d.symcb.com/rpa0@
    • http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    • http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000a000.exe
bb8474b8b3e55a2fd271fda2feceee11ed160fe017efbd2c432344eedc69cf79		 embedded-pe Office MZ+PE at offset 0xA000 982016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.