Malicious Office (OLE) / .DO — malware analysis report

Static analysis result for SHA-256 427dfa5750c95cb7…

MALICIOUS

Office (OLE) / .DO

3.84 MB Created: 2010-05-05 13:52:00 Authoring application: Microsoft Office Word
MD5: e9b938313eea2c94abf79c17f1902548 SHA-1: c03f560b2c1a49fe0e61155d1e3a819fc1b504be SHA-256: 427dfa5750c95cb74f35612f7ac5b9f6670748cb8b1a9cfed571397055992513
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The sample is an Office document containing an embedded PDF. The PDF itself is designed as a lure, presenting an image without any text operators, suggesting it's intended to trick the user into further interaction. The presence of an XLM macro sheet also indicates potential for malicious macro execution. The overall attack pattern involves a multi-stage lure to engage the user.

Heuristics 4

  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
2b0486330f09d1aa6159bc6592972e4eae268e788d3bd4e87d16bad4c515aa14		 ole-package OLE Ole10Native stream: ObjectPool/_1139725620/Ole10Native 563652 bytes
ole10native_01.bin
12fa9b5e20cbb46d5fec1919b0e23c2f4bf8a115af70d57bcd8433f94e95d610		 ole-package OLE Ole10Native stream: ObjectPool/_1334558835/MBD8000000B/Ole10Native 138084 bytes
polyglot_child_pdf_off0011f600.pdf
16f3f4763e7bea1c7917b5bd6ffa55151251a0694e4d0bb061b4d5c98055afb6		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x11F600 2844672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.