Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 c798f259840f41ee…

MALICIOUS

Office (OLE) / .DOC

112.6 KB
MD5: feeeaa3504ab8ceb6e77acdeb4667ca0 SHA-1: ddaf2edf5e4a35c03de054db8644a03f7d936993 SHA-256: c798f259840f41ee35935a097dd8320ec8f8acb1f003791334c1aaa15751e257
102 Risk Score

Malware Insights

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32 T1059.005 Command and Scripting Interpreter: Visual Basic

The sample contains an Excel 4.0 macro, indicated by the OLE_XLM_AUTOOPEN heuristic. This macro is designed to execute a command-line payload using rundll32.exe, which in turn attempts to download content from the URL http://ordinateur.ogivart.us/editor/Qpo7OAOnbe. The large slack space in the OLE structure is also anomalous. The presence of multiple suspicious URLs suggests a delivery mechanism for further malicious payloads.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 115,341 bytes but its declared streams total only 0 bytes — 115,341 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ordinateur.ogivart.us/editor/Qpo7OAOnbe/
    • http://old.liceum9.ru/images/0/
    • http://ostadsarma.com/wp-admin/pYk64Hh3z5hjnMziZ/
    • http://ordinateur.ogivart.us/editor/Qpo7OAOnbe

Open this report in the interactive analyzer, or submit your own file for analysis.