Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 619e3180d7f2f29f…

MALICIOUS

Office (OLE) / .XLS

16.3 KB
MD5: 00b1c8282ac2e0eb13d366d81a7ac7aa SHA-1: 5f9b7e2537a9b5628bd0dcbd0ac0fe98c8be789b SHA-256: 619e3180d7f2f29fbf466516a55673281d07b3d0aa30c423968499178ad89523
482 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1055 Process Injection T1105 Ingress Tool Transfer

The sample is an OLE file containing an embedded PE executable, identified by ClamAV as Win.Worm.Brontok-88. Heuristics indicate the use of WinExec, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, and LoadLibrary, strongly suggesting process injection capabilities. The file's structure and embedded nature point towards it acting as a loader for a secondary malicious payload.

Heuristics 11

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Worm.R-94 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.R-94
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP ECX)
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (FileOpenError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000016bf.exe
737a31982c809258cc84f2d994e0c12fd3768a100237e298ff12a3609d343ef4		 embedded-pe Office MZ+PE at offset 0x16BF 10859 bytes
Detection
ClamAV: Win.Worm.Brontok-88
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.