Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 740f7b15b7410187…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 745cb74ba122d5985a491cccbd6852e9 SHA-1: b3f3eff71830effb680619f0cf91007f2dec60d2 SHA-256: 740f7b15b74101871b3f1538bd858f67162889fcba6cef69d34ff6283273e765
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely dropped and executed. The document body contains numerous API references and registry paths related to Windows installation and execution, further supporting this. The embedded executable is the primary IOC.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
cf277445d1705534876cbc5bef7c1301f9c279d8898c4610f0b0891e32b2e2a2		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.