Zlobotina — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 8de54be428eebcda…

MALICIOUS

Office (OLE) / .DOC

284.0 KB
MD5: bbc408ea98b3b3e109e9edcea7328b63 SHA-1: eb0c1451c1517ca615682b7f17be07b73b47bb19 SHA-256: 8de54be428eebcdad66d34c9af5a5f30b7a4a2a86b7f1f1268c2af1bb06bc78b
422 Risk Score

Malware Insights

Zlobotina · confidence 95%

MITRE ATT&CK
T1555 Credentials from Password Stores T1059 Command and Scripting Interpreter T1204 Malicious Link T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The file is identified as malicious by ClamAV with the signature Win.Trojan.Zlobotina-1. Static analysis revealed an embedded PE executable, indicating a likely dropper or downloader functionality. The presence of API hashing and PEB access techniques suggests sophisticated evasion methods. The document body is heavily corrupted, preventing analysis of its content, but the embedded executable is the primary indicator of malicious intent.

Heuristics 11

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Zlobotina-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Zlobotina-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00018200.exe
35b1678d768739da3a867bfc72f001d65279d7b59817245821a8274b279b7c2b		 embedded-pe Office MZ+PE at offset 0x18200 192000 bytes
Detection
ClamAV: Win.Trojan.Zlobotina-1
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.