Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 68e0814428afcb89…

MALICIOUS

Office (OLE)

136.0 KB Created: 2015-07-11 23:36:00 Authoring application: Microsoft Office Word First seen: 2015-09-22
MD5: 68f5f21eee4ab9e2e062d15ff2e3d160 SHA-1: 05cf603226493b10cfe59e79ec575f9d388f258c SHA-256: 68e0814428afcb890114e03f1df3f73358bce9aaa5671e6c3a61bff73ad39cc5
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1137.001 Office Installation: Office Application Startup

The sample is a malicious Office document containing an embedded OLE package that drops a JAR file named 'swift.jar'. The document body displays an error message prompting the user to double-click an icon, which likely leads to the execution of the embedded payload. This behavior is indicative of a spearphishing attachment designed to deliver malware.

Heuristics 4

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1498166370/Ole10Native 113565 bytes
SHA-256: 5fb721c50443c5cc5d0ff057630d22750ac73c89f7bf3fec34bf64aee514dc53
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
ole10native_00_swift.jar ole-package-payload OLE Ole10Native payload: ObjectPool/_1498166370/Ole10Native; display_name=swift.jar; full_path=C:\Users\Jacob\AppData\Local\Temp\swift.jar; temp_path=; def_file= 113280 bytes
SHA-256: 4e76c99229ed9e1a6509435195bb58d022ca962caa8724d2cf4b3d29d03bf394

Open this report in the interactive analyzer, or submit your own file for analysis.