Zlobotina — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 7af1402fd67d8af2…

MALICIOUS

Office (OLE) / .DOC

219.5 KB
MD5: 8bf827320732517249966cc4f3d8dd01 SHA-1: babd74940c8e21bd4de095f8cb41f33c9ed06b33 SHA-256: 7af1402fd67d8af23d7cbdcd7085c641ea4f5c06a511c05429cc65d702aa545a
422 Risk Score

Malware Insights

Zlobotina · confidence 95%

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Win.Trojan.Zlobotina-1. Static analysis revealed an embedded PE executable, indicating a likely delivery mechanism for a secondary payload. The heuristics suggest the malware uses common techniques for API resolution and memory manipulation, such as PEB access and VirtualAlloc/VirtualProtect calls. No VBA macros were extractable, but the presence of the embedded executable is a critical indicator of malicious intent.

Heuristics 11

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Zlobotina-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Zlobotina-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00018200.exe
b92d865dbcd1d2742200802fc37694e982f2d30636a69bc16e1ad675722d9aea		 embedded-pe Office MZ+PE at offset 0x18200 125952 bytes
Detection
ClamAV: Win.Trojan.Zlobotina-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.