Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b117b3b778d18815…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 1d348f522eeebc96f203958227a4c8e1 SHA-1: cdc9babd25f32c61d1fb7570775b81f519912dab SHA-256: b117b3b778d188157fc308f6ca4f563fae5ceec9f7e871e589281ca895149bbc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious Office document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the document's code attempts to load and execute the embedded file. The presence of an embedded executable (MZ header at offset 0x6000) is a critical finding. The document body contains numerous API references and registry paths related to installation and execution, further supporting the payload delivery scenario.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
cf4729ee0c8f39a21ed38a2ebd4a94b686b2170413dc96a1a3c542d1d372f254		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.