Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b3fbc4b98ca797cb…

MALICIOUS

Office (OLE) / .DOC

275.0 KB
MD5: f3aa7e162ed7de2d57fdb436e64d511d SHA-1: 1d9c60f2b5c884ce7e46bd2a70ff761c8bfb8510 SHA-256: b3fbc4b98ca797cb1c9281e07a1398f05da627deac1ce851974b25823bcba9a8
180 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is a malicious OLE document containing an embedded PE executable. ClamAV detections indicate it is a generic Windows Trojan. The embedded executable is the primary artifact of interest for further analysis.

Heuristics 3

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.VBGeneric-7649844-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.VBGeneric-7649844-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00020600.exe
d09097398aeda3ebaa2f53c0aa995c4a649b4efc6e5db54d8c514837d1d14597		 embedded-pe Office MZ+PE at offset 0x20600 148992 bytes
Detection
ClamAV: Win.Trojan.VBGeneric-7649844-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.