Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e730cb91c6fb12b4…

MALICIOUS

Office (OLE)

104.5 KB Created: 2001-11-05 13:03:00 Authoring application: Microsoft Word 8.0 First seen: 2017-10-28
MD5: 460618b7ebde097f0aca2088d3251ac7 SHA-1: 241048489b0d3e96e4155ffe2b338772b1ca5b66 SHA-256: e730cb91c6fb12b48f556ebb335dddca3238db64ed251847fe19cfc57533a833
320 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document presents itself as an urgent email update required to maintain email functionality, urging the recipient to open an attached file. This file is identified as a PE executable, indicating a likely attempt to deliver a malicious payload. The presence of WinExec, VirtualAlloc, LoadLibrary, and GetProcAddress API calls suggests the embedded executable is designed to load and run code, potentially to download and execute further stages or establish persistence.

Heuristics 6

  • ClamAV: Win.Trojan.Optix-92 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Optix-92
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00005200.exe embedded-pe Office MZ+PE at offset 0x5200 86016 bytes
SHA-256: 6a121b9b247ad5a940dc4107bf1f327d6b17b79f206ad1d17f3d8da8e8654754
Detection
ClamAV: Win.Trojan.Optix-92
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.