Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c493ab5eb220d6e3…

MALICIOUS

Office (OLE)

209.5 KB Created: 2001-04-20 08:58:00 Authoring application: Microsoft Word 8.0 First seen: 2019-05-10
MD5: fe53f2b1ab04c553167bb11377e379f9 SHA-1: 6a4bee5f07c9e1e82ded2211874ff414a99a4410 SHA-256: c493ab5eb220d6e36859ac88c6df1b0a284f4583002a2c3efb1b6288706da9f4
280 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The file is an Office document containing an embedded Portable Executable (PE) file, identified as a critical finding. Heuristics indicate the use of APIs commonly associated with loading and executing code (VirtualAlloc, LoadLibrary, GetProcAddress). The embedded executable is likely the primary payload, intended for delivery via email as suggested by the document's metadata and body content.

Heuristics 5

  • ClamAV: Win.Trojan.Agent-507916 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-507916
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005000.exe embedded-pe Office MZ+PE at offset 0x5000 194048 bytes
SHA-256: 80b9df4ad11ef62140e5f6acd86eb1ae3887d2e8b1ff8f0e38281ab118f1a4f6
Detection
ClamAV: Win.Trojan.Agent-507916
Obfuscation or payload: unlikely