Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 355ee673af4acabd…

MALICIOUS

Office (OLE)

22.0 KB Created: 2018-05-06 06:51:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 41d9d16eea1e39245d44e86e101cee38 SHA-1: 4f1e2ef0e8f3ada37e3c5b66e30a43d214bee232 SHA-256: 355ee673af4acabdbc86a0713befcb3670a0c54f34f8293b28da731272b800af
102 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The file contains a critical ClamAV detection for Doc.Exploit.DDEautoexec, indicating a known malware signature. The document body explicitly uses DDE to execute 'powershell.exe' with 'calc.exe' as an argument, demonstrating exploitation for client execution. While PowerShell is referenced, the primary execution mechanism appears to be DDE, which is used to launch another process.

Heuristics 3

  • ClamAV: Doc.Exploit.DDEautoexec-6352494-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6352494-0
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.