Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b4534f39a08e0dce…

MALICIOUS

Office (OLE) / .DOC

220.8 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 58081c747b5f1d7d68855038ea7160fa SHA-1: d61430b2d5747899c12814154591fb1cc01cb0f0 SHA-256: b4534f39a08e0dce38f555953217d77b16c878156c02215ef6af703c05ce1ec6
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The critical OLE_EMBEDDED_EXE heuristic indicates the presence of a Portable Executable (PE) file within the OLE document. This embedded executable is the primary indicator of malicious intent. The heuristics referencing WinExec, CreateProcess, cmd.exe, LoadLibrary, and VirtualAlloc suggest that the document's macro or script functionality is designed to extract and execute this embedded payload. The large OLE slack anomaly may be used to hide the embedded executable.

Heuristics 9

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 226,052 bytes but its declared streams total only 94,801 bytes — 131,251 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00021200.exe
a7ba0c2c755cedd6f07f212bcc059444e5746e0e629e028b2dd303f576657d04		 embedded-pe Office MZ+PE at offset 0x21200 90372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.