Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c21d8cb18928c25f…

MALICIOUS

Office (OLE) / .DOC

94.3 KB Created: 2008-04-23 12:48:44 Authoring application: Microsoft Office Word
MD5: 42efd74e62b80d81505a195be32914c7 SHA-1: de44fc36363a73064d7b14631ce395cb7b815a5b SHA-256: c21d8cb18928c25f7eb1188cdcef2783d616946295dddd048d4f35b360e94828
220 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Side-Loading

The sample is an OLE document with a significant slack space anomaly, indicating potential obfuscation. Crucially, it contains an embedded PE executable (embedded_office_0000bc00.exe). Heuristics also indicate PEB access and references to LoadLibrary and GetProcAddress APIs, common in malware execution. The document body contains strings that appear to be VBA macro code, including calls to WinExec, suggesting the embedded executable is likely launched by a macro.

Heuristics 6

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 96,521 bytes but its declared streams total only 40,506 bytes — 56,015 bytes (58%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://crl.microsoft.com/pki/crl/products/tspca.crl0H
    • http://www.microsoft.com/pki/certs/tspca.crt0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
    • http://www.microsoft.com/sysinternals

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000bc00.exe
22cfee729236c025d74de3b195b0ed1f44a3c1fadcd602b9e8b7e3a4475a9b96		 embedded-pe Office MZ+PE at offset 0xBC00 48393 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.