Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 588fbe37d57d2ae7…

MALICIOUS

Office (OLE) / .DOC

338.5 KB Created: 2021-06-01 19:34:00 Authoring application: Microsoft Office Word First seen: 2021-06-20
MD5: db86d5cc0509a5ef527577bd65d8d4a0 SHA-1: f03f1da605d06707130cd49d2391295e1ffbf5ee SHA-256: 588fbe37d57d2ae7d360403a2613e273b4f0339762c0bde74f246a6c4541ce5d
64 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a Microsoft Word document containing an embedded OLE package. Heuristics indicate this package is risky and carries an executable or script, specifically a JAR file. The embedded URL is likely related to the delivery mechanism of the payload within the OLE package. No document body text or scripts were extracted, limiting further analysis of the specific intent.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1684562829/Ole10Native 320881 bytes
SHA-256: fd9cbe2503bbbc51374de44d775d46261451e79b581f8a716f338ef3637a26fa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
ole10native_00_n8OoalD8giLjp1mOZaYe7DMw.jar ole-package-payload OLE Ole10Native payload: ObjectPool/_1684562829/Ole10Native; display_name=n8OoalD8giLjp1mOZaYe7DMw.jar; full_path=C:\Users\TESTER\AppData\Local\Temp\n8OoalD8giLjp1mOZaYe7DMw.jar; temp_path=; def_file= 320419 bytes
SHA-256: cd74d0b9dcb08225142999b46044133ea772dfeb122ff89066bcd35d19005790

Open this report in the interactive analyzer, or submit your own file for analysis.