Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b1ae985768cf8a35…

MALICIOUS

Office (OLE) / .DOC

147.6 KB
MD5: f14d9e6713a64d9cdc32fd731e28742d SHA-1: e92a88d853d990a9da120b7e07d3d66f5847941f SHA-256: b1ae985768cf8a35d48542184f98fb8d920a1f283ed074b5c051732e515581e4
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample is a malicious OLE document exhibiting several high-severity heuristic firings, including PEB access and an API hash resolver, indicative of anti-analysis techniques. The large slack space and embedded EMF object suggest potential exploitation vectors. Although VBA macros could not be extracted, the presence of embedded URLs and the overall heuristic profile strongly suggest the document is designed to exploit vulnerabilities and download further malicious content. The document body's content is not directly indicative of malicious intent, but the technical indicators are clear.

Heuristics 7

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is CVE-2007-3893/MS07-046-family evidence when paired with Office exploit payload anomalies, but the malformed EMF record is not proven by this rule alone.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 151,186 bytes but its declared streams total only 31,351 bytes — 119,835 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tibet.ca/en/campaigns/advocacy/beijing_olympics
    • http://www.savetibet.org/documents/document.php?id=258
    • http://savetibet.org/news/newsitem.php?id=1352
    • http://www.huffingtonpost.com/rebecca-novick/arrested-in-tibet-a-young_b_118342.html
    • http://www.timesonline.co.uk/tol/sport/olympics/article4568771.ece

Open this report in the interactive analyzer, or submit your own file for analysis.