Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 2d845bd6662e7449…

MALICIOUS

Office (OLE) / .DOCX

24.0 KB Created: 2020-11-09 10:44:00 Authoring application: Microsoft Office Word
MD5: c5354a491815c511ca8f786a0824ccc7 SHA-1: acf9251708fa91ee605d2a03bf39457f16cecb3d SHA-256: 2d845bd6662e7449f4db7a922e67c665df70cd045af48e2cb3d689a5d0004b2f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is a malicious Office document containing embedded OLE packages, one of which has a .vbe extension, indicating a Visual Basic script. The heuristic 'SE_ENABLE_LURE' confirms that the document instructs the user to enable macros or editing, a common tactic for malware droppers. This suggests the embedded script is intended to be executed upon user interaction, likely to download and execute a second-stage payload.

Heuristics 3

  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
7ab2759cdee8af3473b0553c267380b94b3aabd7d33dfc831d00d2b6c92dc056		 ole-package OLE Ole10Native stream: ObjectPool/_1666398664/Ole10Native 1982 bytes
ole10native_01.bin
485b3b452e438d86083699188981f7206890f14afc9b90c26dc706d55ee3b79a		 ole-package OLE Ole10Native stream: ObjectPool/_1666398665/Ole10Native 2009 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.