Virut — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 f5d63c2d368fafc1…

MALICIOUS

Office (OLE) / .DOC

4.84 MB
MD5: 57b2262ef5c66fefb28ab0fff2d04775 SHA-1: 4c432b76f3b59e6ebaf317f8d605c6f2db4f8b29 SHA-256: f5d63c2d368fafc14091813895783def9d666434b0c178db9b17eb5c9add1cd5
340 Risk Score

Malware Insights

Virut · confidence 95%

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1137.001 DLL Side-Loading T1027 Obfuscated Files or Information

The sample is an OLE document with a significant amount of slack space, indicating potential obfuscation or embedded content. Critical heuristics identify an embedded PE executable and ClamAV detections confirm the presence of the Virut family malware. The embedded executable is the primary indicator of malicious intent, likely serving as a downloader or dropper for the main payload.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • ClamAV: Win.Trojan.Virut-230 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Virut-230
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 5,079,040 bytes but its declared streams total only 2,517,319 bytes — 2,561,721 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0026d000.exe
af961f14ff99c05d4377fc30b996703e1babc64a7553e7b49e52f9e2dd228b7b		 embedded-pe Office MZ+PE at offset 0x26D000 2535424 bytes
Detection
ClamAV: Win.Trojan.Virut-35
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.