Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9f8e34121b5fd2f4…

MALICIOUS

Office (OLE)

1.17 MB
MD5: 6a872ac456180bb6b48f3008df601939 SHA-1: 32ebbc0a4335171c8dae2b93a465ca4399505680 SHA-256: 9f8e34121b5fd2f42167c2f9371d67f3a1ac5c01943aa714e167ca39a4d82ba5
320 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Search Order Hijacking

The sample is an OLE document with a large slack space anomaly, containing an embedded PE executable. Heuristics indicate the use of VirtualAlloc, LoadLibrary, and GetProcAddress APIs, common in malware execution. ClamAV identified the embedded artifact as Win.Trojan.Autoit-135. The document body, though partially garbled, appears to be a tender document, suggesting a lure to trick users into opening the embedded malicious executable.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Autoit-135 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Autoit-135
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 1,224,192 bytes but its declared streams total only 0 bytes — 1,224,192 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.5iantlavalamp.com/_
    • http://www.5iantlavalamp.com/
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_000de000.exe
82698be827004aa5580769c1b473306d8535a96dc6ab588fe92cec35b38bc140		 embedded-pe Office MZ+PE at offset 0xDE000 314880 bytes
Detection
ClamAV: Win.Trojan.Autoit-135
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.