Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d1e467068f813e87…

MALICIOUS

Office (OLE)

256.0 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel First seen: 2020-02-04
MD5: 491969b106587f9eecdd46467a7ba3a1 SHA-1: 66c46f96959775e75e4a78524177f0fbe0c458b8 SHA-256: d1e467068f813e87906e5b74d32a2860cf56c1274d3ea055a7b7df897f097a79
240 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Office document containing an embedded PE executable, detected by ClamAV as Win.Trojan.Agent-1266464. Heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress APIs, common in malware execution. The document body, though in Chinese and related to payment information, serves as a lure. The embedded executable is the primary indicator of malicious intent.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0002ee00.exe embedded-pe Office MZ+PE at offset 0x2EE00 70144 bytes
SHA-256: 7f1487bb6361d6e8a0ffa4418a0edc7e343a1b9afa37f3a953dd97a27a84aeaf
Detection
ClamAV: Win.Trojan.Agent-1266464
Obfuscation or payload: unlikely