Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 f5e6d4c50c9a9a74…

MALICIOUS

Office (OLE) / .DOC

196.0 KB Created: 2012-09-21 09:56:09 Authoring application: Windows Installer
MD5: 507bfbda3a801789e5086f0ee8aa02e4 SHA-1: 1a328a8886be797f158a5a0225e1384ba92f44c2 SHA-256: f5e6d4c50c9a9a74e09f77b1b73e4166de71569d01eb77c11ca5f52d772091f2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is an OLE document containing an embedded PE executable, identified by the OLE_EMBEDDED_EXE heuristic. The document body contains numerous references to Windows Installer and setup-related DLLs and functions, suggesting the embedded executable is masquerading as a legitimate installer. The presence of CreateProcess, LoadLibrary, and GetProcAddress API calls further indicates the sample is designed to load and execute external code. The embedded executable itself is the primary payload.

Heuristics 4

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00006000.exe
cf4729ee0c8f39a21ed38a2ebd4a94b686b2170413dc96a1a3c542d1d372f254		 embedded-pe Office MZ+PE at offset 0x6000 176128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.