Office (OLE) / .DOC malware analysis — malicious · cadc6f91c1db8721

MALICIOUS

Office (OLE) / .DOC

73.0 KB

MD5: 04f87a2540fbdb2e44c75f93a6d3dd61 SHA-1: 6f955000b18603c703976c559efb06a5a244aaf8 SHA-256: cadc6f91c1db872165733cad963f3382f08decbc647d5834221bbe2b42bc7406

204 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of APIs for process creation, dynamic library loading, and memory protection, suggesting the embedded executable is likely a payload. The document body text appears to be unrelated to the malicious payload, indicating a lure or social engineering attempt.

Heuristics 6

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED

olevba could not extract VBA macros (PermissionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_0000ddf0.exe` `a48e8c52cd059fd07bae6ed21db68d816027f6cab0100056c0c96e9908144e13`	embedded-pe	Office MZ+PE at offset 0xDDF0	17920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.