Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 787ac4c398a4a208…

MALICIOUS

Office (OLE) / .DOC

591.5 KB Created: 2009-12-11 11:47:44 Authoring application: Advanced Installer 12.3 build 64631
MD5: f70ca5997caa3d837cd939c8ef56e6ef SHA-1: e843b585d67e60d8bf72a9923813ada5031f3156 SHA-256: 787ac4c398a4a208fe6139811ef1b48a2af8cbea45cd54687657d3bfb47b2837
362 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a malicious Office document containing an embedded PE executable. It references CreateProcess, ShellExecute, LoadLibrary, and GetProcAddress APIs, indicating it likely attempts to execute or load the embedded payload. Heuristics also indicate the use of PowerShell and Windows Script Host, suggesting the document may be used to download and execute additional malware. The embedded executable is the primary IOC.

Heuristics 10

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drivers.windows10download.com/w10-microsoft-usb-input-device-driver-10-0-10240-16384-for-windows-10-wllll/download.htmlButtonText_OKOKErrorDialogErrorDlgAiPrerequisitesColumsPrereqLabel,PrereqReq,PrereqFound,PrereqActionButtonText_BrowseBr&owse...NewDirIconNewProductNameWindows
    • http://ocsp.thawte.com0
    • http://t2.symcb.com0
    • http://ts-ocsp.ws.symantec.com07
    • http://tl.symcd.com0&
    • http://www.advancedinstaller.com0
    • http://crl.thawte.com/ThawteTimestampingCA.crl0
    • http://t1.symcb.com/ThawtePCA.crl0
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    • http://tl.symcb.com/tl.crl0
    • https://www.thawte.com/cps0/
    • https://www.thawte.com/repository0
    • http://tl.symcb.com/tl.crt0
    • http://www.w3.org/2000/09/xmldsig#xmlnsswidxmlns:swidhttp://standards.iso.org/iso/19770/-2/2008/schema.xsdxmlnsxsixmlns:xsihttp://www.w3.org/2001/XMLSchema-instancexsischemaLocationxsi:schemaLocationhttp://standards.iso.org/iso/19770/-2/2008/schema.xsd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00015a00.exe
bfe672a11fb15efaaf7e5e071b4bdb6f7fa8494030ed865b4b24aec98a41aa17		 embedded-pe Office MZ+PE at offset 0x15A00 517120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.