Office (OLE) / .DOC malware analysis — malicious · 9cbb64058223c03d

MALICIOUS

Office (OLE) / .DOC

1005.0 KB Created: 1996-02-12 19:56:00 Authoring application: Microsoft Word 6.0

MD5: f1df499b4ebdaf2705db1a245c2e0f4d SHA-1: 684d069a7e31124465d63572059898b8b0d8a67e SHA-256: 9cbb64058223c03d5165d10e9c6924afa3a560ef0cc839df89f34e811547a3b1

220 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1137.001 DLL Search Order Hijacking

The sample is a Microsoft Word document containing an embedded PE executable. Heuristics indicate the presence of a NOP sled, PEB access, and calls to LoadLibrary and GetProcAddress, suggesting the embedded executable is designed to be loaded and executed. The document body itself is benign technical text, indicating the executable is the primary malicious component. No scripts were extracted, and the embedded executable was not analyzed further in this pass.

Heuristics 5

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_000f0c00.exe` `84ef17e0ac2d21d33844cf5cd9c94df2eec4293214f35e394c7d91b4b6cc8f99`	embedded-pe	Office MZ+PE at offset 0xF0C00	43008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.