Win.Joke.Salary-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 a9c5f0a9d97aaca2…

MALICIOUS

Office (OLE)

209.0 KB Created: 1999-11-07 16:50:00 Authoring application: Microsoft Word 8.0 First seen: 2018-03-04
MD5: 30c6a98948b76e0163a92a3f02f2b987 SHA-1: 3eb5c6129a35ce8ec213045fa7bc553c46adec7e SHA-256: a9c5f0a9d97aaca24410628eb410e4777c86bda8f23f3a0d59125898a6078aaf
280 Risk Score

Malware Insights

Win.Joke.Salary-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Win.Joke.Salary-1. It contains an embedded PE executable, indicating it is likely a dropper or part of a multi-stage attack. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API references suggests the embedded executable is designed to load and execute code dynamically.

Heuristics 5

  • ClamAV: Win.Joke.Salary-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Joke.Salary-1
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00004800.exe embedded-pe Office MZ+PE at offset 0x4800 195584 bytes
SHA-256: 43187d06a1a76c531c48fce04d08ec843728114dbba214cb6c418978c7069553
Detection
ClamAV: Win.Joke.Salary-1
Obfuscation or payload: unlikely