Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fcd7a0fb7397a72f…

MALICIOUS

Office (OLE)

181.0 KB Created: 2018-01-08 17:41:50 Authoring application: Microsoft Excel First seen: 2018-01-23
MD5: 049a3f773fcb5c15147886818f519714 SHA-1: 3ffcb2a4cf4ce3822588d258badb99da8114ee65 SHA-256: fcd7a0fb7397a72f6814e94bb8efb51d065642a0587cc1a51f8380fc0d844d57
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1105 Ingress Tool Transfer

The sample is a malicious Microsoft Excel file identified as containing an embedded PE executable. Heuristics indicate the use of ShellExecute, LoadLibrary, and GetProcAddress APIs, suggesting the execution of the embedded payload. The embedded executable, named 'Virus1.exe' in the document body, is likely dropped and executed by the Office document.

Heuristics 6

  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_office_0000108f.exe embedded-pe Office MZ+PE at offset 0x108F 181105 bytes
SHA-256: d28923d8e5faa1613fce9efd7a54fb04a86926d81e29f19606724098cf47f14b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.48, consistent with packed or encrypted content.
ole10native_00.bin ole-package OLE Ole10Native stream: MBD000245C8/Ole10Native 175761 bytes
SHA-256: 154b8c3bc8bf871a500362b399c5200aa252d208ea9adaf91594c6ced998ef5a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.50, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.