Office (OLE) malware analysis — malicious · b7a41c36782d1290

MALICIOUS

Office (OLE)

2.00 MB Created: 2004-04-21 18:49:00 Authoring application: Microsoft Word 9.0

MD5: eb6d53213875c38bdaa0c91840386beb SHA-1: 7263f0eba609c03ccd49d994970c445af1f7ff72 SHA-256: b7a41c36782d12909c2c66db492bfbbc48dc8184f7e85e589ba39eb8a19911ed

620 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The sample is an OLE document containing a large slack space anomaly and an embedded PE executable. Heuristics indicate the presence of NOP sleds, PEB access, and API calls related to process creation and loading libraries, suggesting the embedded executable is likely a loader or dropper. The document body is a benign-looking student organization registration packet, serving as a lure. The embedded executable, detected by ClamAV as Win.Trojan.Agent-36963, is the primary malicious component.

Heuristics 16

XOR-encoded strings (key 0x93) critical SC_XOR_ENCODED

Found 8 Windows library/API name(s) XOR-encoded with single-byte key 0x93: 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'GetProcAddress', 'GetProcAddress', 'GetProcAddress'
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Trojan.Agent-36963 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36963
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
PEB access via FS segment (x86) high SC_PEB_ACCESS

PEB access via FS segment (x86)
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 2,097,152 bytes but its declared streams total only 58,701 bytes — 2,038,451 bytes (97%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x43 bytes
x86 push-string-call medium SC_PUSH_STRING

Shellcode-style PUSH imm32 sequence builds an execution, network, or Windows API string on the stack
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.sc.colostate.edu/studentorg

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00010000.exe` `8eb821f1990ba84e6d2708fd69b2ceb37baf7ed86f31ed0088a5702c77099546`	embedded-pe	Office MZ+PE at offset 0x10000	2031616 bytes
Detection ClamAV: Win.Trojan.Agent-36963 Obfuscation or payload: likely Carved artifact contains 3 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.