Sofacy Office (OLE) / .DOC malware analysis — malicious · ffa010287faad2b2

MALICIOUS

Office (OLE) / .DOC

172.5 KB

MD5: 69065313d72009e72bbffb1dd7949083 SHA-1: 3ed1df4a4b8aad06750df980f39c96df64bee95a SHA-256: ffa010287faad2b212fa5442d5719bcff5f03dcf786e2ca6f22126bdfbd5ae6e

400 Risk Score

Malware Insights

Sofacy · confidence 95%

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1137.001 DLL Search Order Hijacking

The file is an OLE document with a significant amount of slack space and an embedded PE executable. Heuristics indicate the use of CreateProcess, ShellExecute, VirtualAlloc, LoadLibrary, and GetProcAddress APIs, suggesting the execution of the embedded payload. ClamAV detections for 'Win.Trojan.Sofacy-1' on both the container and the extracted artifact strongly indicate the Sofacy family. The document body text appears to be test data and does not provide further clues on the attack pattern.

Heuristics 9

Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
ClamAV: Win.Trojan.Sofacy-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Sofacy-1
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
Reference to ShellExecute API high SC_STR_SHELLEXEC

Reference to ShellExecute API
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 176,640 bytes but its declared streams total only 31,351 bytes — 145,289 bytes (82%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_office_00016430.exe` `e273d67ef8d1d325db59fc10c276a21c960abf446ba29928ba2f3896901759dc`	embedded-pe	Office MZ+PE at offset 0x16430	85456 bytes
Detection ClamAV: Win.Trojan.Sofacy-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.