Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 45ce43fde8de8f38…

MALICIOUS

Office (OOXML) / .DOC

331.8 KB Created: 2021-02-19 18:44:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 216c3fc7cf3013b1403a67cbaef4a12c SHA-1: 0a52eef08671e1f4caa9b62ca36a36287e10b4e8 SHA-256: 45ce43fde8de8f388bc19cbb0811b2d7a2313da6eaa1305eb2932fdb7ba4696c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a Microsoft Office document containing an embedded OLE object. Heuristics indicate this object is a risky file type, specifically a JAR archive, which is often used to deliver malicious payloads. The embedded OLE object itself is the primary indicator of malicious intent, suggesting it's designed to be executed by the user or a subsequent process.

Heuristics 4

  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
231dde44e0e7d0a6d753566b8caa44a03f8f1a39e2f229f92cc74c0f5e2dbb3b		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 337408 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
ef0b95c3318c4993218f4aea1ff0a01bc84bda9923f5cacb944068502ebf1230		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 331796 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
emf_00.emf
6fe33104af8aa73b2ba3fc50257342197426e2b756efce26325d295d79d2870e		 ooxml-emf OOXML EMF part: word/media/image2.emf 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.