Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6a6e29a9ffa47411…

MALICIOUS

Office (OLE)

852.0 KB Created: 2003-07-13 10:04:24 Authoring application: Microsoft Excel First seen: 2019-10-29
MD5: 433da632461677d6fde4c0d360e55a84 SHA-1: ec5ad7035319d31013875787fd2d181932225c26 SHA-256: 6a6e29a9ffa47411c8486c902c4d9dc81c86f9579061c9255aa21dc652b3b4bf
582 Risk Score

Malware Insights

MITRE ATT&CK
T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an OLE document that contains an embedded executable, identified by ClamAV as a Trojan Agent. Heuristics indicate the use of APIs for process creation (CreateProcess, ShellExecute) and downloading files (URLDownloadToFile), suggesting the embedded executable is a secondary payload. The document body explicitly states 'This is an Antivirus Bait file', which is a common lure.

Heuristics 13

  • ClamAV: Xls.Dropper.Agent-7003910-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7003910-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 872,440 bytes but its declared streams total only 12,288 bytes — 860,152 bytes (99%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OLE body)
    • https://loginnet.passport.com/RST.srfIn document text (OLE body)
    • https://loginnet.passport.com/ppsecure/md5auth.srfIn document text (OLE body)
    • https://loginnet.passport.com/resetpw.srfIn document text (OLE body)
    • https://certservices.passport.com/slca.srfIn document text (OLE body)
    • http://www.Passport.comIn document text (OLE body)
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0In document text (OLE body)
    • http://office.microsoft.comIn document text (OLE body)
    • https://www.verisign.com/rpaIn document text (OLE body)
    • https://www.verisign.com/rpa01In document text (OLE body)
    • http://crl.verisign.com/pca3.crl0In document text (OLE body)
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn document text (OLE body)
    • https://www.verisign.com/rpa0In document text (OLE body)
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In document text (OLE body)
    • http://www.w3.org/2000/09/xmldsig#In document text (OLE body)
    • http://schemas.microsoft.com/Passport/PPCRLIn document text (OLE body)
    • http://clientconfig.passport.net/ppcrlconfig.srfIn document text (OLE body)
    • https://accountservices.passport.net/ppnetworkhome.srfIn document text (OLE body)
    • https://accountservices.passport.net/accountservices.srfIn document text (OLE body)
    • https://accountservices.passport.net/hp.srfIn document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In document text (OLE body)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000660a.exe embedded-pe Office MZ+PE at offset 0x660A 846318 bytes
SHA-256: e693727d93a5ddeee55e57e450ade2dc9b3ca129c0c184c0b9db94f87215beaf
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off00003605.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x3605 858611 bytes
SHA-256: 7f5af4011ee2100c564bbc3b048f44c3fa4764bab77afc8c45a30acee23863b4
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off00006480.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x6480 846712 bytes
SHA-256: 1fb191918d42c4d25f904645db349da97eb084500912ddc8ed688eeefc076bf0
Detection
ClamAV: Win.Trojan.Agent-6943819-1
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_0000660a_1.exe embedded-pe Office MZ+PE at offset 0x660A 411245 bytes
SHA-256: a89b468586375994d8ea301fa05f73f33a807044401690cf5021c7667fa0fa76
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off0006a381.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x6A381 437367 bytes
SHA-256: d32fe892a348d209d53237011276e2bd42419d4fb213d0b0c879483d38e37986
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln
embedded_office_off0006d986.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x6D986 423538 bytes
SHA-256: 3934bbfdaa083aea603a0f195d7a57d3690e301faf58879702da9cbb749f52ab
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmdln

Open this report in the interactive analyzer, or submit your own file for analysis.