Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ceed0aa091f72ed6…

MALICIOUS

Office (OLE)

3.82 MB Created: 2007-12-06 19:54:22 Authoring application: Windows Installer XML v2.0.4820.0 (candle/light)
MD5: 405cbe780f603c2a8af4aba48319a50b SHA-1: bb8bfe881c0ee5cda888329da3ac13da09b9b274 SHA-256: ceed0aa091f72ed6ad8c547388eefa9e9e2976b80d3202fc56eb1ef11c7d98d6
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1204 User Execution T1105 Ingress Tool Transfer

The file exhibits high-confidence heuristic firings for CreateProcess, ShellExecute, LoadLibrary, and GetProcAddress, indicating dynamic execution and loading of code. The presence of unknown reputation URLs, specifically http://www.laoscript.net/purchase.php and http://www.laoscript.net/activate/, suggests these are likely command-and-control or download servers. The ClamAV detection as Win.Trojan.Agent-122222 further confirms its malicious nature. The document body lists various components related to software activation and localization, which could be a lure or part of the malware's functionality.

Heuristics 7

  • ClamAV: Win.Trojan.Agent-122222 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-122222
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://%s/activate/index.php?userkey=%s&username=%s
    • http://www.laoscript.net/purchase.php
    • http://www.laoscript.net/activate/
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • https://www.verisign.com/rpa
    • https://www.verisign.com/rpa01
    • http://crl.verisign.com/pca3.crl0
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
    • https://www.verisign.com/rpa0
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0

Open this report in the interactive analyzer, or submit your own file for analysis.