Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 964e264ece7fcb86…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 2a946a7a5eb292e76b9a6172666f31f9 SHA-1: 72c90f3299dd84f64a1dd1cd03c68574b7e12c44 SHA-256: 964e264ece7fcb86df194ed5773d83e298b513c320857b0106c845d4dca0e29c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The file is an Office document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the document is designed to execute the embedded payload. The embedded executable is the primary IOC. The document body contains numerous Windows API references and registry paths, but no clear user-facing lure.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
7f97478b05fb1562118ec320c4dcc0337dd157dad842fd1eb5ba09984f8a50d2		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.