Win.Packed.Agenttesla-7732321-0 — Office (OOXML) / .DOCX malware analysis

Static analysis result for SHA-256 05b56c3455a56167…

MALICIOUS

Office (OOXML) / .DOCX

551.0 KB Created: 2020-04-27 07:10:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: ebd7e1b60b25fcd5f502b01c6bea0a7d SHA-1: ecb722958b8eb2fa11a8fef178c7823da6839769 SHA-256: 05b56c3455a5616745dfb45a396e8202fdb6f078afda4b72c3a157837c25b481
244 Risk Score

Malware Insights

Win.Packed.Agenttesla-7732321-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious due to the presence of an embedded OLE object containing an executable payload, strongly indicating an exploitation attempt likely related to CVE-2026-21514. ClamAV detection confirms the presence of 'Win.Packed.Agenttesla-7732321-0', suggesting this is the dropped malware. The embedded OLE object and the confirmed malware signature point to a malicious document designed to execute a secondary payload upon opening.

Heuristics 7

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (word/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • ClamAV: Win.Packed.Agenttesla-7732321-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Agenttesla-7732321-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
636fdb9f8d373453ae7798cecf2f019ba1b5e45ded2ee0c1ae6ef6fd6e8d1060		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 518144 bytes
Detection
ClamAV: Win.Packed.Agenttesla-7732321-0
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
40108bfbe6a15f4f94a24389f86ea9ca1600296b7f08ebf95886fe066bcb264a		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 511830 bytes
Detection
ClamAV: Win.Packed.Agenttesla-7732321-0
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
emf_00.emf
d29b3228e22563a0de2ffdac9c7a6fe38a1de4a8ead45397dee478840bfb4dac		 ooxml-emf OOXML EMF part: word/media/image2.emf 5480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.