Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 edf2db2ce832ebcd…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: af1ed055355c742ae9ebea4c2edc2ee8 SHA-1: e01658a6cd2b3556ab99527ed4263e43b371379e SHA-256: edf2db2ce832ebcddb44f9d6a22e5c3c7d0c4cbe6302fc3b5f556ddc2dce2750
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is a malicious OLE document containing an embedded PE executable. Heuristics indicate the use of CreateProcess, LoadLibrary, and GetProcAddress APIs, suggesting the document's code attempts to load and execute the embedded payload. The embedded executable is the primary indicator of malicious intent, likely serving as a second-stage downloader or payload.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
043c6bef1bb9b7ed6f0fa2bb96f19e2f5c2b24ab1acc2a9cd3134b0cfb06952c		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.