Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9fa4b094c7c0643b…

MALICIOUS

Office (OLE)

97.5 KB Created: 2013-07-01 09:14:00 Authoring application: Microsoft Office Word First seen: 2015-10-03
MD5: 795244c57e05476e9b7f4869d3d46ff0 SHA-1: 6916353d4fb1807049c2eaab2a3a7675b56615b0 SHA-256: 9fa4b094c7c0643b9f3e5733963778587aa9f74a6706899cfe3c1363617f183d
402 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OLE document containing an embedded PE executable and an Adobe Flash (SWF) file, both flagged as malicious by ClamAV. Heuristics indicate the use of APIs for process creation, memory allocation, and loading libraries, suggesting the execution of downloaded or embedded code. The embedded JavaScript, though truncated, likely contributes to the execution chain, potentially downloading additional payloads.

Heuristics 9

  • ClamAV: Swf.Exploit.Kit-513 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Swf.Exploit.Kit-513
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Embedded Adobe Flash (SWF) in OLE document critical OFFICE_EMBEDDED_SWF
    Document contains an embedded Adobe Flash (SWF) object. Vulnerabilities such as CVE-2018-4878 and CVE-2018-15982 involved Flash objects embedded in Office files. Adobe Flash has been end-of-life since December 2020.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000f494.exe embedded-pe Office MZ+PE at offset 0xF494 37228 bytes
SHA-256: 4e392a3623f1c57f911ee3159e4030669aec30640b96e2716b1204d88a6eb48c
Detection
ClamAV: Win.Dropper.Scar-9879231-0
Obfuscation or payload: likely
Carved artifact entropy is 7.60, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.