Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 6ca9c663d1eeb5ce…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 612501eebc731337f3d8565d02f86bad SHA-1: 86b9d57a6fca406a01bb7cfdb61d9d0996167637 SHA-256: 6ca9c663d1eeb5ce88a6d9a811cab9d3dfd94bde72af9e29f5a5e5d5875902c0
180 Risk Score

Malware Insights

MITRE ATT&CK
T1105 Ingress Tool Transfer T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely dropped and executed. The document body contains numerous Windows API references and registry paths, but no direct instructions or lures are apparent. The presence of an embedded executable strongly suggests an attempt to download and execute a second-stage payload.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
73293aa7fa24e4efa5b5cbc335169283ddbb0f1b31faec6c68832cc27d93c911		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.