Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 3baf6a266939019c…

MALICIOUS

Office (OLE) / .DOCX

92.4 KB Created: 2018-11-29 14:01:00 Authoring application: Microsoft Office Word
MD5: 7cc553feed8cc4754e5e9d87d3b38aca SHA-1: a3e07dce59ae1a924e1e79c4d7a22cae871b5a5e SHA-256: 3baf6a266939019c1d86b96a33d7b261374d80db0b6fd7a4f76a98a4c34cd278
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample contains a high-severity heuristic firing for PowerShell usage, indicating an attempt to execute commands. The document body contains obfuscated PowerShell commands that, when deobfuscated, reveal attempts to download and execute files from various URLs. The OLE slack anomaly suggests potential data hiding or packing, common in malicious documents.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 94,592 bytes but its declared streams total only 51,411 bytes — 43,181 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Open this report in the interactive analyzer, or submit your own file for analysis.