Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5a94cd6659c9bf6e…

MALICIOUS

Office (OOXML) / .DOC

325.8 KB Created: 2021-05-15 10:02:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 565c131da13defc8f25f52c74c89ee2a SHA-1: 440a8d51ff9cf43ddb72a8f49183a74029f53cca SHA-256: 5a94cd6659c9bf6e78a582f340e46f6a2e70a5b283fadd888ccf77d4dec3bef4
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious OOXML document containing an embedded OLE object. This object is identified as a package that drops an auto-executable payload, specifically a JAR file. The presence of this embedded object strongly suggests an attempt to deliver and execute malware upon opening the document. No specific family could be identified from the available evidence.

Heuristics 4

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
10bbba96c8186c185c7e978078d36cda56ff16373132d51492987162f1ff0f6b		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 324608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
8a4eae4c33394a0629abad9971a2a0b62dfbc3f5df46afed325901d393993a4e		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 319658 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
emf_00.emf
40a9314dedaf4fd2de0e07c0d5f2ba46b869b3f7143264fa79a56986356a3058		 ooxml-emf OOXML EMF part: word/media/image2.emf 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.