Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 72ee225fe30bf767…

MALICIOUS

Office (OLE) / .DOC

546.5 KB Created: 2009-12-11 11:47:44 Authoring application: Advanced Installer 16.2 build 436ecd62
MD5: 0b70ca811248caad0be8b76b000154c1 SHA-1: 19e6d4a7e2348c9fd1a78a61cbd056b4378180a5 SHA-256: 72ee225fe30bf767aef0551d2f38a596e407bd14bb6a60c3b0b2ff4b52bbdefb
362 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1059.005 Visual Basic

The document is identified as malicious due to the presence of an embedded PE executable and heuristics indicating the use of APIs like CreateProcess and ShellExecute. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document's purpose is to trick the user into handling a password-protected archive, likely containing the embedded executable. The embedded executable itself is the primary IOC, and several unknown URLs were also extracted.

Heuristics 10

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://t2.symcb.com0
    • http://tl.symcd.com0&
    • http://s.symcd.com06
    • http://ts-ocsp.ws.symantec.com0
    • http://t1.symcb.com/ThawtePCA.crl0
    • http://tl.symcb.com/tl.crl0
    • https://www.thawte.com/cps0/
    • https://www.thawte.com/repository0W
    • http://tl.symcb.com/tl.crt0
    • https://www.advancedinstaller.com
    • https://d.symcb.com/cps0%
    • https://d.symcb.com/rpa0
    • http://s.symcb.com/universal-root.crl0
    • https://d.symcb.com/rpa0@
    • http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    • http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00011a00.exe
07ac89e47b7ad2fe5538b3cb5456daf6bf78d550d9b8cacdec6f829424a81f5a		 embedded-pe Office MZ+PE at offset 0x11A00 487424 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.