Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 98867c79b9cad272…

MALICIOUS

Office (OLE) / .DOC

192.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 282df9944059acd45240ee729c39784b SHA-1: b4e15607a6ca5917db3dac0d81b010d272f6caf4 SHA-256: 98867c79b9cad272ed464ae52a82b233a7ac1d2ecaf0642148cb26b896413e29
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical OLE_EMBEDDED_EXE heuristic indicates the presence of a Portable Executable (PE) file embedded within the document. This embedded executable, named 'embedded_office_00006000.exe', is the primary indicator of malicious intent. The file likely functions as a dropper, designed to extract and execute the embedded payload when the document is opened or interacted with by the user. The presence of CreateProcess, LoadLibrary, and GetProcAddress API references further supports the payload execution mechanism.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
fffe52448fe4f3a26da3a89cca913b5635f52e1bf924f1e3819d7c598c613c1d		 embedded-pe Office MZ+PE at offset 0x6000 172032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.