Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f08ec05653e37918…

MALICIOUS

Office (OLE) / .DOC

179.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 36c1bf164272c17d3dfcfa3f8cf44f5f SHA-1: 89b24c93505044ffc8d61aa1d05a3011dcd62b9a SHA-256: f08ec05653e3791845754942b5291904151a4486d3ce7f8abfe099cae4db71dc
320 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1105 Ingress Tool Transfer

The OLE document exhibits a significant slack space anomaly and critically contains an embedded PE executable. Heuristics indicate the use of Windows API functions such as VirtualAlloc, LoadLibrary, and GetProcAddress, commonly employed by malware to load and execute code. The embedded executable, detected by ClamAV as Win.Trojan.Agent-681062, is the primary indicator of malicious intent, suggesting the document serves as a dropper for further malicious activity.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Agent-681062 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-681062
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 183,556 bytes but its declared streams total only 94,801 bytes — 88,755 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0001c600.exe
a07dcd06f7fb0623520e5099c716ee160cb75bb13912a7738a218fdce715a7fb		 embedded-pe Office MZ+PE at offset 0x1C600 67332 bytes
Detection
ClamAV: Win.Trojan.Agent-681062
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.