Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fcc52956fd86afef…

MALICIOUS

Office (OLE)

219.5 KB Created: 2016-06-10 06:50:22 Authoring application: Microsoft Excel First seen: 2017-08-27
MD5: 65b3fcd13c8a744ac847dace99439aa1 SHA-1: 0a0892d0dd0b9f09196c70d3e6d98d9995e537df SHA-256: fcc52956fd86afefb7df44411eec21be565347c18e0e88d158add9e0242125be
302 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is an Excel document containing an embedded executable payload disguised as an image to lure the user into clicking it. The embedded executable is dropped and executed, likely to download and run a second-stage payload. The document body text in Russian suggests a lure for viewing a receipt, which is a common social engineering tactic.

Heuristics 7

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/SMI/2005/WindowsSettings Embedded OLE package script

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_00000ca4.exe embedded-pe Office MZ+PE at offset 0xCA4 221532 bytes
SHA-256: 91c19dc5e1da33762cca228eac40793bc4674207e7eaa426e3e0c1030c63e6ef
ole10native_00.bin ole-package OLE Ole10Native stream: MBD01939FD1/Ole10Native 194618 bytes
SHA-256: bd4626faaaffaa95de3d9229d2cf9f0800030ff18d96a20be5976756dd680901