Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 1e2da72e82ca01f5…

MALICIOUS

Office (OLE) / .DOC

223.0 KB Created: 2021-11-01 11:20:00 Authoring application: Microsoft Office Word
MD5: 8c6f1f4389283caee0807d4fd020b609 SHA-1: e6c859bbb328e5689f7bc1e18a1000b284867a98 SHA-256: 1e2da72e82ca01f50c14d2806735d1540cb335096d2215d2a0dfd9bfcc9f269b
64 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an OLE document containing a package that drops an executable file named 'ole10native_00.bin'. This indicates a delivery mechanism for a secondary payload. The heuristic 'OFFICE_PACKAGE_RISKY_FILE' confirms the presence of a risky auto-executable payload within the OLE package.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
27ef982c1518f744a028ab23b77c68fe287b61b19de29d2645f1112b622c7d5a		 ole-package OLE Ole10Native stream: ObjectPool/_1697281614/Ole10Native 190782 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.