Office (OLE) / .DOC malware analysis — malicious · 5d24ee917de8d274

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer

MD5: fbe4f9482f2fede6408713f5b8e682c0 SHA-1: 34ae6e3e3c478536a4b6a6dfd06edca09e411630 SHA-256: 5d24ee917de8d274a6b8db618913f069744b6ee946a6a92a16aab30bd59be2d3

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is a malicious Office document containing an embedded PE executable. Heuristics indicate the presence of APIs commonly used for process manipulation (CreateProcess, LoadLibrary, GetProcAddress) and a NOP sled, suggesting shellcode or exploit code. The embedded executable is the primary indicator of malicious intent, likely serving as a second-stage payload.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00006000.exe` `8004b8f924d70b0d4cb11857056dcfcda4767d434b742cc95a2451a7146e3f0f`	embedded-pe	Office MZ+PE at offset 0x6000	176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.