Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 ff0bff385c3ae362…

MALICIOUS

Office (OLE) / .DOC

143.3 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0
MD5: 006051f9d739408f3222c6cd6750f9b3 SHA-1: 7aaaf2d56f3337bdc11eeb9269e32bbc8e23e501 SHA-256: ff0bff385c3ae362785082e7b89b1b3cce515db01e3eafe42ac8dc14fb63f636
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1204.002 Malicious File

The sample exhibits high-confidence heuristics indicating PEB access and API hash resolution, common techniques for obfuscating API calls. References to VirtualAlloc, VirtualProtect, LoadLibrary, and GetProcAddress suggest the dynamic loading and execution of code. While the document body is heavily obfuscated and contains no clear lure, the presence of numerous benign URLs alongside the malicious indicators suggests a potential attempt to blend in or distract. The primary attack pattern involves downloading and executing a second-stage payload, likely facilitated by the embedded URLs, although the specific content of the payload cannot be determined from the provided evidence.

Heuristics 7

  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://awgc5.blogspot.com/2007/12/benazir-bhuttocomputer-trick.html
    • http://en.wikipedia.org/wiki/David_Frost
    • http://en.wikipedia.org/wiki/Al_Jazeera
    • http://en.wikipedia.org/wiki/Osama_Bin_Laden
    • http://en.wikipedia.org/wiki/Ahmed_Omar_Saeed_Sheikh
    • http://en.wikipedia.org/wiki/Daniel_Pearl
    • http://en.wikipedia.org/wiki/Nawaz_Sharif
    • http://en.wikipedia.org/wiki/Saudi_Arabia
    • http://en.wikipedia.org/wiki/December_16
    • http://en.wikipedia.org/wiki/Islamabad
    • http://en.wikipedia.org/wiki/Balochistan_%28Pakistan%29
    • http://en.wikipedia.org/wiki/President_of_Pakistan
    • http://en.wikipedia.org/wiki/Islamic_World
    • http://en.wikipedia.org/wiki/Head_of_State

Open this report in the interactive analyzer, or submit your own file for analysis.