Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 79209202050191a0…

MALICIOUS

Office (OLE) / .DOC

72.5 KB
MD5: b3fe8f2c435c82af4a079bf31b870d47 SHA-1: 189f33a6b14a323bc31996708db6d8642033f1ce SHA-256: 79209202050191a0b4686d92592d8ec809a97e2f13b2438b7b3b94aebe4f3609
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious OLE document containing an embedded PE executable. The document body attempts to engage the recipient with a cultural exchange proposition, likely as a pretext for delivering the embedded payload. The presence of CreateProcess, LoadLibrary, and GetProcAddress API calls suggests the embedded executable is designed to run and potentially load additional malicious code.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000ddf0.exe
412f2cef0d56f613660cbc23dd14d74056502652987161837e7b86706a478a38		 embedded-pe Office MZ+PE at offset 0xDDF0 17408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.