Malicious Office (OLE) / .DTA — malware analysis report

Static analysis result for SHA-256 aebb2b425b83a35b…

MALICIOUS

Office (OLE) / .DTA

2.27 MB Created: 2004-04-22 18:49:03 Authoring application: InstallShield® Developer 8.0
MD5: 5690d67fe79c958fa53680ebd71f3591 SHA-1: 3774c6edeeee6b6ad7f0253683065173c2cd8be7 SHA-256: aebb2b425b83a35b05f725a50e4871f184967cb44e162a0a04249cedf5bdeecb
300 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1105 Ingress Tool Transfer T1204.002 Malicious File

The file is identified as malicious by ClamAV and contains an embedded PE executable. Heuristics indicate the use of Windows API functions such as WinExec, CreateProcess, VirtualAlloc, LoadLibrary, and GetProcAddress, which are commonly used by malware for execution and loading of payloads. The embedded URL is highly suspicious and likely used for command and control or further payload delivery. The file's structure as an InstallShield installer suggests it's a delivery mechanism for the embedded malicious executable.

Heuristics 8

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Adware.Webex-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Adware.Webex-4
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://support@webex.comARPCONTACT1-866-229-3239ARPHELPLINKhttp://www.webex.comARPHELPTELEPHONEARPURLINFOABOUTThe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000ec00.exe
37a7b5cc207fc741340e96c718702d3164b404f1e93883f3cc90f6ba81e9d9b7		 embedded-pe Office MZ+PE at offset 0xEC00 2314752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.