Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 637c782adf23fb65…

MALICIOUS

Office (OLE)

158.5 KB First seen: 2012-06-14
MD5: 3d38d490c6828a9da5f135e163ace64a SHA-1: aa20afb6788940972c3115decfe232e88b79b5fb SHA-256: 637c782adf23fb65714fc0c4f4e9b52860f9ac7cff6270d553bf6acc4f7ba4af
320 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample exhibits high-confidence heuristic firings related to the execution of external processes (WinExec, CreateProcess) and dynamic library loading (LoadLibrary, GetProcAddress), indicating it's designed to launch additional malicious code. The ClamAV detection name 'Doc.Dropper.Agent-6541556-0' further supports its role as a dropper. The OLE slack anomaly suggests potential obfuscation or embedded malicious content.

Heuristics 8

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Dropper.Agent-6541556-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6541556-0
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 162,304 bytes but its declared streams total only 31,351 bytes — 130,953 bytes (81%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API