MALICIOUS
342
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
This Office document contains an embedded PE executable, identified by MZ headers and verified as a PE file. The 'OFFICE_PACKAGE_RISKY_FILE' heuristic indicates that the Ole10Native package is designed to drop an auto-executable payload named 'C:\ENRC.exe'. The presence of API calls like CreateProcess, URLDownloadToFile, VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress suggests the embedded executable is likely a downloader or dropper for further malicious activity.
Heuristics 9
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.thawte.com0 In document text (OLE body)
- http://ts-ocsp.ws.symantec.com07In document text (OLE body)
- http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OLE body)
- http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OLE body)
- http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OLE body)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_0000464a.exe |
embedded-pe | Office MZ+PE at offset 0x464A | 365494 bytes |
SHA-256: 24f1a78ea7b9d446dc5fe4a12275f2fa773befbba9266a8dbb846a7360d78b41 |
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1482726180/Ole10Native | 357052 bytes |
SHA-256: e5d4f1cf8c3471098b651546f4646bad62b4b2c7d03357a2c45f74a5ca2400d8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.