Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 89d2b33d216f4871…

MALICIOUS

Office (OLE)

352.0 KB Created: 1999-04-13 20:07:00 Authoring application: Microsoft Word 8.0 First seen: 2015-08-19
MD5: a68b99c471dd74c95c242adac3d6ad12 SHA-1: 4d2d2a5bcacd81ff1af6c697022db64a21030539 SHA-256: 89d2b33d216f487122cfc647404128843b26f90eb10b31580e00dabd2207cacc
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This Office document contains an embedded PE executable (i.exe) which is flagged as a critical finding. The document also references WinExec and VirtualAlloc APIs, suggesting the execution of external code. The embedded executable is likely a secondary payload dropped by the document, indicating a malicious dropper functionality.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6586737-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6586737-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0004262e.exe embedded-pe Office MZ+PE at offset 0x4262E 88530 bytes
SHA-256: 79a92ce1c055fc6d65eb9175208a32b80615062d3cd0dce76e6d397a8658479e
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_983547946/Ole10Native 41572 bytes
SHA-256: f73fab84adc922b6ff9eed356986d3e143c0e76353c042aeb7c6470cd7a8b2f3