Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6176db5cc8bbc511…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 82f255445f4b4e2bcd02790cdaff491d SHA-1: f30757a3a73bd736e0a9c1c3465980f2fbaf9df1 SHA-256: 6176db5cc8bbc511454dafc5fc985ad7ca0196f285a8a02f95b18329519b7a63
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely a payload. The document body contains strings related to installation and execution, such as rundll32.exe commands, further supporting the payload delivery. The embedded executable itself is the primary IOC.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
043c6bef1bb9b7ed6f0fa2bb96f19e2f5c2b24ab1acc2a9cd3134b0cfb06952c		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.