Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6fb472c308bb030c…

MALICIOUS

Office (OLE)

374.5 KB Created: 2015-01-14 12:38:00 Authoring application: Microsoft Office Word First seen: 2015-02-05
MD5: 79f7177648c69c6d486e8cb523f1294a SHA-1: 41c5137a0d7f7fcac325bf92c54929f269404fe3 SHA-256: 6fb472c308bb030c04c5dc465bbe59038aaff47d3974a9af777590bf628c5d0b
342 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This Office document contains an embedded PE executable, identified by MZ headers and verified as a PE file. The 'OFFICE_PACKAGE_RISKY_FILE' heuristic indicates that the Ole10Native package is designed to drop an auto-executable payload named 'C:\ENRC.exe'. The presence of API calls like CreateProcess, URLDownloadToFile, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress suggests the embedded executable is likely a downloader or dropper for further malicious activity.

Heuristics 9

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 In document text (OLE body)
    • http://ts-ocsp.ws.symantec.com07In document text (OLE body)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000464a.exe embedded-pe Office MZ+PE at offset 0x464A 365494 bytes
SHA-256: 24f1a78ea7b9d446dc5fe4a12275f2fa773befbba9266a8dbb846a7360d78b41
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1482726180/Ole10Native 357052 bytes
SHA-256: e5d4f1cf8c3471098b651546f4646bad62b4b2c7d03357a2c45f74a5ca2400d8