Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 51a631cf0940341f…

MALICIOUS

Office (OLE) / .DOCX

57.0 KB Created: 2020-09-17 11:45:00 Authoring application: Microsoft Office Word First seen: 2021-03-01
MD5: efa06eea4e8960963c450cfab77ee947 SHA-1: ed9f2909032e7da3f3d85b4a82bc45849e0c17e9 SHA-256: 51a631cf0940341f2682a84993b782e2c015ff2181a4c8894e38617643c6a4ca
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document that embeds a batch file disguised as a PDF. The embedded batch file, named 'Preventive Measures.PDF.bat', is designed to be executed automatically, likely leading to arbitrary command execution on the victim's system. The document body is minimal, providing no further context on the lure.

Heuristics 2

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1662293114/Ole10Native 18488 bytes
SHA-256: ca0d41e8c36c7da2d8298a77e04e32e7ec2fc929ba3cd8fc9f9dee26ad7834f6
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1662293115/Ole10Native 18482 bytes
SHA-256: d811c80afecbe41c43d7bdb92e07ed9bf50d076f0fec52813edc3abb02732916