Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 92bf38de2bec5f3d…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 37a0becb8d6654ce0a215b9a7e5493b2 SHA-1: 80fc1d18e07109ca930faca972e4146369a1bab4 SHA-256: 92bf38de2bec5f3de5c6eba418d7ce06812dffe677c16332af65a130f817a1c4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the embedded executable is likely dropped and executed. The document body contains numerous references to Windows Installer and setup APIs, hinting at a complex installation or execution routine for the embedded payload.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
d5381b87d94f371cfa489f32108bb3c5b09c63c7ddc4d806fcce2c9c135e9bd5		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.