MALICIOUS
720
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1105 Ingress Tool Transfer
The sample is an Office document containing an embedded OLE package that acts as a dropper for a Windows executable. Heuristics indicate the use of APIs like CreateProcess, ShellExecute, WriteProcessMemory, and CreateRemoteThread, suggesting the dropped executable is designed to run and potentially perform malicious actions. The embedded executable is detected by ClamAV as Win.Spyware.Zbot-1275, a known spyware family.
Heuristics 15
-
ClamAV: Win.Spyware.Zbot-1275 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Spyware.Zbot-1275
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPERThe OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
PEB access via FS segment (x86) high SC_PEB_ACCESSPEB access via FS segment (x86)
Disassembly
x86 disassembly · validity: code (0.969) — 13/13 branch targets land on an instruction boundary (100% coherence)0001415D 648b1530000000 mov edx, dword ptr fs:[0x30] 00014164 8b520c mov edx, dword ptr [edx + 0xc] 00014167 8b5214 mov edx, dword ptr [edx + 0x14] 0001416A 8b7228 mov esi, dword ptr [edx + 0x28] 0001416D b918000000 mov ecx, 0x18 00014172 33ff xor edi, edi 00014174 33c0 xor eax, eax 00014176 ac lodsb al, byte ptr [esi] 00014177 3c61 cmp al, 0x61 00014179 7c02 jl 0x1417d 0001417B 2c20 sub al, 0x20 0001417D c1cf0d ror edi, 0xd 00014180 03f8 add edi, eax 00014182 e2f0 loop 0x14174 00014184 81ff5bbc4a6a cmp edi, 0x6a4abc5b 0001418A 8b4210 mov eax, dword ptr [edx + 0x10] 0001418D 8b12 mov edx, dword ptr [edx] 0001418F 75d9 jne 0x1416a 00014191 5f pop edi 00014192 5e pop esi 00014193 c3 ret 00014194 53 push ebx 00014195 8bd8 mov ebx, eax 00014197 83e301 and ebx, 1 0001419A 7510 jne 0x141ac 0001419C e85b380000 call 0x179fc 000141A1 84c0 test al, al 000141A3 7407 je 0x141ac 000141A5 830de037420001 or dword ptr [0x4237e0], 1 000141AC 56 push esi 000141AD 57 push edi 000141AE bf24384200 mov edi, 0x423824 000141B3 be18384200 mov esi, 0x423818 000141B8 e8cf550000 call 0x1978c
-
PEB API-hash resolver high SC_API_HASH_RESOLVERPEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
Disassembly
x86 disassembly · validity: code (0.969) — 13/13 branch targets land on an instruction boundary (100% coherence)0001415D 648b1530000000 mov edx, dword ptr fs:[0x30] 00014164 8b520c mov edx, dword ptr [edx + 0xc] 00014167 8b5214 mov edx, dword ptr [edx + 0x14] 0001416A 8b7228 mov esi, dword ptr [edx + 0x28] 0001416D b918000000 mov ecx, 0x18 00014172 33ff xor edi, edi 00014174 33c0 xor eax, eax 00014176 ac lodsb al, byte ptr [esi] 00014177 3c61 cmp al, 0x61 00014179 7c02 jl 0x1417d 0001417B 2c20 sub al, 0x20 0001417D c1cf0d ror edi, 0xd 00014180 03f8 add edi, eax 00014182 e2f0 loop 0x14174 00014184 81ff5bbc4a6a cmp edi, 0x6a4abc5b 0001418A 8b4210 mov eax, dword ptr [edx + 0x10] 0001418D 8b12 mov edx, dword ptr [edx] 0001418F 75d9 jne 0x1416a 00014191 5f pop edi 00014192 5e pop esi 00014193 c3 ret 00014194 53 push ebx 00014195 8bd8 mov ebx, eax 00014197 83e301 and ebx, 1 0001419A 7510 jne 0x141ac 0001419C e85b380000 call 0x179fc 000141A1 84c0 test al, al 000141A3 7407 je 0x141ac 000141A5 830de037420001 or dword ptr [0x4237e0], 1 000141AC 56 push esi 000141AD 57 push edi 000141AE bf24384200 mov edi, 0x423824 000141B3 be18384200 mov esi, 0x423818 000141B8 e8cf550000 call 0x1978c
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00000aa6.exe |
embedded-pe | Office MZ+PE at offset 0xAA6 | 169818 bytes |
SHA-256: 4c2189b9bebb20d05b5566932c2bc96e863d3e719a53cdf268f431eb80fea133 |
|||
|
Detection
ClamAV:
Win.Spyware.Zbot-1275
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_PEB_ACCESS, SC_STR_CREATEREMOTETHREAD Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateThread, VirtualAlloc, CreateRemoteThread, OpenProcess
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD0001B512/Ole10Native | 144852 bytes |
SHA-256: 307ac289d670ac6a4697ae3e67ca8cda1e1b61a8de85148844200da79b8d27e1 |
|||
|
Detection
ClamAV:
Win.Spyware.Zbot-1275
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_PEB_ACCESS, SC_STR_CREATEREMOTETHREAD Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateThread, VirtualAlloc, CreateRemoteThread, OpenProcess
|
|||
ole10native_00_File_is_crashed_Please_double_click_here_to_reload_msexcel.exe |
ole-package-payload | OLE Ole10Native payload: MBD0001B512/Ole10Native; display_name=File is crashed, Please double click here to reload msexcel.exe; full_path=C:\Users\Chenco\AppData\Local\Temp\chenco.exe; temp_path=; def_file= | 144384 bytes |
SHA-256: 6b839c4ff0fef88b4fc98cb59a62c742fb227d745daa624dd3f467390e3c979b |
|||
|
Detection
ClamAV:
Win.Spyware.Zbot-1275
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_PEB_ACCESS, SC_STR_CREATEREMOTETHREAD Static shellcode analysis recovered API/import strings: LoadLibraryA, GetProcAddress, CreateThread, VirtualAlloc, CreateRemoteThread, OpenProcess
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.