Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 233fadc525e8bc29…

MALICIOUS

Office (OLE)

207.6 KB Created: 2018-10-04 23:56:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 05a30f75469a014708075196ba96c729 SHA-1: 96e8c5f7a78a3b89f7327687d1b8413b800a76ef SHA-256: 233fadc525e8bc29b9e921f04721f05895f81287e4da9cd1cde8da486e2af9e6
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file exhibits a large slack space anomaly and is flagged as a password-protected archive lure, indicating an attempt to conceal malicious content. Although VBA macros could not be extracted, the presence of numerous embedded URLs suggests a downloader or redirection mechanism. The ClamAV detection further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.00536d-6923012-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6923012-0
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 212,625 bytes but its declared streams total only 69,815 bytes — 142,810 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AssertionError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.noithattdc.com/wp-content/cache/et/87/mod_filezipr.php In document text (OLE body)
    • http://www.test2.ts.com.ps/sitepro/js/photoswipe/default-skin/ini_mod_filezipr.phpIn document text (OLE body)
    • http://www.rts-t.ru/wp-content/plugins/subscribe-to-comments-reloaded/langs/mod_filezipr.phpIn document text (OLE body)
    • http://www.hmindustria.com.brwp-admin/css/colors/ocean/mod_filezipr.phpIn document text (OLE body)
    • http://www.fdima.ru/blog/wp-admin/css/colors/mod_filezipr.phpIn document text (OLE body)
    • http://www.strigifo.com/wp-content/plugins/ez-form-calculator-premium/Licensing/mod_filezipr.phpIn document text (OLE body)
    • http://www.mandahe.online/iizoaieu/sotpie/mod_filezipr.phpIn document text (OLE body)
    • http://www.dunhamconsultassoc.com/wp-includes/js/tinymce/plugins/mod_filezipr.phpIn document text (OLE body)
    • http://www.hinchrfc.mcveighmedia.com/wp-content/plugins/woocommerce-memberships/templates/mod_filezipr.phpIn document text (OLE body)
    • http://www.3rdsectorsupportafrica.org/ini_mod_filezipr.phpIn document text (OLE body)
    • http://www.old.gotovine.com/wp-admin/css/colors/coffee/mod_filezipr.phpIn document text (OLE body)
    • http://www.transfermatusvillarrica.com/wp-content/plugins/maintenance/images/mod_filezipr.phpIn document text (OLE body)
    • http://www.techandtrisckss.ooo/wp-includes/SimplePie/XML/Declaration/mod_filezipr.phpIn document text (OLE body)
    • http://www.zikertaf.info/wp-includes/SimplePie/Decode/HTML/mod_filezipr.phpIn document text (OLE body)
    • http://www.mikayla.mocksitetest.com/wp-content/uploads/2016/12/mod_filezipr.phpIn document text (OLE body)
    • http://www.edu.screentecrepairs.com/wp-content/themes/twentyseventeen/template-parts/mod_filezipr.phpIn document text (OLE body)
    • http://www.teishoku.mocksitetest.com/wp-content/uploads/2017/10/mod_filezipr.phpIn document text (OLE body)
    • http://www.fbgk.se/wp-content/uploads/2015/12/mod_filezipr.phpIn document text (OLE body)
    • http://www.cheaphotelchains.com/blog/wp-content/plugins/page-links-to/mod_filezipr.phpIn document text (OLE body)
    • http://www.incredibleinsider.us/assets/library/fontawesome/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.radionovafm87.com/wp-content/plugins/insert-post-ads/views/mod_filezipr.phpIn document text (OLE body)
    • http://www.certum.se/skarlunda/wp-includes/Requests/Proxy/mod_filezipr.phpIn document text (OLE body)
    • http://www.recover.doyzkie.com/wp-includes/SimplePie/XML/Declaration/mod_filezipr.phpIn document text (OLE body)
    • http://www.ontimebazaar.com/wp-content/plugins/woocommerce/templates/mod_filezipr.phpIn document text (OLE body)
    • http://www.ongsarepta.org/libraries/joomla/feed/parser/mod_filezipr.phpIn document text (OLE body)
    • http://www.baolamdep.net/wp-content/uploads/2018/03/mod_filezipr.phpIn document text (OLE body)
    • http://www.neu.webcoder.ch/ognerrte/sotpie/mod_filezipr.phpIn document text (OLE body)
    • http://www.naijabeatzone.com/wp-content/updraft/themes-old/accesspress-mag/mod_filezipr.phpIn document text (OLE body)
    • http://www.michelledenny.com/wp-content/plugins/mega-addons-for-visual-composer/icons/mod_filezipr.phpIn document text (OLE body)
    • http://www.ahliabh.com/library/editor/unsupported_plugins/HtmlTidy/mod_filezipr.phpIn document text (OLE body)
    • http://www.tandp.jsswebdev.com/wp-content/uploads/2018/09/mod_filezipr.phpIn document text (OLE body)
    • http://www.jerryzhang.cn/wp-content/plugins/2oneplagine/Rechnung/mod_filezipr.phpIn document text (OLE body)
    • http://www.tothebooks.com/ognerrte/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.amritanet.com/ini_mod_filezipr.phpIn document text (OLE body)
    • http://www.makemysoftwares.com/wp-content/uploads/.X1-unix/9bd/mod_filezipr.phpIn document text (OLE body)
    • http://www.sanjaykumar.us/wp-content/themes/gom-preum/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.khangnamwindow.danang.vip/wp-content/plugins/wp-editor/classes/mod_filezipr.phpIn document text (OLE body)
    • http://www.neselievim.com/wp-content/cache/wpfc-minified/mcnl8fcl/mod_filezipr.phpIn document text (OLE body)
    • http://www.mpkdk.sk/templates/dd_dreamnight_38/images/slideshow/mod_filezipr.phpIn document text (OLE body)
    • http://www.csv.jsswebdev.com/wp-includes/Requests/Exception/Transport/mod_filezipr.phpIn document text (OLE body)
    • http://www.devsandbox.info/wp-content/themes/fiencke/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.minisoft.ro/subdomains/alexsound/images/music-logos/mod_filezipr.phpIn document text (OLE body)
    • http://www.duchamp.tv/stats/urchin/mod_filezipr.phpIn document text (OLE body)
    • http://www.consult.screentecrepairs.com/wp-content/plugins/revslider/admin/mod_filezipr.phpIn document text (OLE body)
    • http://www.unflex.mcveighmedia.com/wp-content/themes/cowork/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.fewo-haus-lore.de/administrator/modules/mod_version/tmpl/mod_filezipr.phpIn document text (OLE body)
    • http://www.floridaoffmarket.com/wp-content/themes/twentyeleven/colors/mod_filezipr.phpIn document text (OLE body)
    • http://www.londonhomesales.ca/wp-content/plugins/wordpress-seo/frontend/mod_filezipr.phpIn document text (OLE body)
    • http://www.fanclubjonatancerrada.com/file/ind/id150/picture/mod_filezipr.phpIn document text (OLE body)
    • http://www.bantuline.com/wp-content/plugins/all-in-one-seo-pack/inc/mod_filezipr.phpIn document text (OLE body)
    +1020 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.