Malicious Office (OLE) / .MP3 — malware analysis report

Static analysis result for SHA-256 bbcf50ef55730d35…

MALICIOUS

Office (OLE) / .MP3

5.61 MB Created: 2006-08-08 11:51:00 Authoring application: Microsoft Word 8.0
MD5: cb62bdfc9294320944ab609504a5043c SHA-1: d1a2fe0d8706186ddd8133720001100d8cf9504f SHA-256: bbcf50ef55730d3525ee5417405c544f5022469eb921912ec0bf5a2773de2b22
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is an OLE document containing a large slack space anomaly and an embedded PE executable. Heuristics indicate the use of ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress, suggesting the embedded executable is loaded and run. ClamAV identified the embedded artifact as Win.Trojan.Kazy-1335. The document body appears to be a form for a Russian internal affairs agency, likely a lure to encourage the user to interact with the embedded malicious file.

Heuristics 10

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 5,886,372 bytes but its declared streams total only 19,099 bytes — 5,867,273 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • OLE object data medium RTF_OBJDATA
    RTF contains 1 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_002a0000.exe
1035def3b974b7e11e76d2b69eda1c80b45f574ec23eeb341ebf5a080cfb8b76		 embedded-pe Office MZ+PE at offset 0x2A0000 3133860 bytes
Detection
ClamAV: Win.Trojan.Kazy-1335
Obfuscation or payload: unlikely
objdata_00_off002f9317.bin
0dcd622eddb58f8542c0bcba945d47c8d73b43ef3ba12a47569e01547eb25381		 rtf-objdata-decoded RTF \objdata at offset 0x2F9317 11544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.