Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6929b3814a615320…

MALICIOUS

Office (OLE)

207.8 KB Created: 2018-10-04 23:56:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 01e1f862f6e674f0e4a336137238d41a SHA-1: 249370dd81711f09e8e6443d8337588a9b9b16a3 SHA-256: 6929b3814a615320ecae178c9316687aab97d3c58f6dc11da2713db8e685297e
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file exhibits a large slack space anomaly and is flagged as a password-protected archive lure, indicating an attempt to conceal malicious content. Although VBA macros could not be extracted, the presence of numerous embedded URLs suggests a downloader or redirection mechanism. The ClamAV detection further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Malware.00536d-6923012-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.00536d-6923012-0
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 212,747 bytes but its declared streams total only 69,815 bytes — 142,932 bytes (67%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ill3d.com/1685forum/images/avatars/gallery/ini_mod_filezipr.php In document text (OLE body)
    • http://www.asistimossaludips.com/wp-admin/css/colors/ectoplasm/mod_filezipr.phpIn document text (OLE body)
    • http://www.thirdstreetpartners.com/wp-content/plugins/really-simple-captcha/gentium/mod_filezipr.phpIn document text (OLE body)
    • http://www.thesocialreel.com/wp-content/themes/twentyfourteen/css/mod_filezipr.phpIn document text (OLE body)
    • http://www.chengyufuke.com/kong/lib/plugins/adminer/mod_filezipr.phpIn document text (OLE body)
    • http://www.lojademo2.jstecnologia.com/wp-content/themes/spasalon/option_pannel/mod_filezipr.phpIn document text (OLE body)
    • http://www.audioaccess.co.th/wp-content/uploads/2012/05/mod_filezipr.phpIn document text (OLE body)
    • http://www.digitalkids.com.br/wp-admin/css/colors/coffee/mod_filezipr.phpIn document text (OLE body)
    • http://www.bantuline.com/wp-content/plugins/all-in-one-seo-pack/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.test.hessian-coffee.com/wp-content/plugins/woocommerce/i18n/mod_filezipr.phpIn document text (OLE body)
    • http://www.wesandemily.com/hmofr/papkr342/idx_config/mod_filezipr.phpIn document text (OLE body)
    • http://www.happyadventure.212dev.com/wp-content/plugins/duplicator/installer/mod_filezipr.phpIn document text (OLE body)
    • http://www.jollyhands.com/wp-includes/Text/Diff/Renderer/mod_filezipr.phpIn document text (OLE body)
    • http://59.124.65.165/Books/calendarD/txt/_notes/mod_filezipr.phpIn document text (OLE body)
    • http://www.test5.ts.com.ps/wermure/wtuds/mod_filezipr.phpIn document text (OLE body)
    • http://www.hifi.mocksitetest.com/wp-content/themes/betheme/muffin-options/mod_filezipr.phpIn document text (OLE body)
    • http://www.ferretti-simulator.comwp-content/plugins/ewww-image-optimizer/images/mod_filezipr.phpIn document text (OLE body)
    • http://www.ugandasurgeons.org/wp-content/themes/colormag/img/mod_filezipr.phpIn document text (OLE body)
    • http://www.iss.tiensamedia.com/_rte/plugins/indent/lang/mod_filezipr.phpIn document text (OLE body)
    • http://www.sdiarcelia.com/tics/message/output/airnotifier/mod_filezipr.phpIn document text (OLE body)
    • http://www.mhmcconsultoria.com/wp-admin/css/colors/coffee/mod_filezipr.phpIn document text (OLE body)
    • http://www.marathasellers.com/wp-admin/css/colors/sunrise/mod_filezipr.phpIn document text (OLE body)
    • http://www.freebies.shop-mania.info/tyoinvur/wtuds/ini_mod_filezipr.phpIn document text (OLE body)
    • http://www.bohoric.si/tyoinvur/sotpie/mod_filezipr.phpIn document text (OLE body)
    • http://www.nutrisci.org/pligg/widgets/last_logged_in_users/templates/mod_filezipr.phpIn document text (OLE body)
    • http://www.akstrade.com/components/com_user/views/register/mod_filezipr.phpIn document text (OLE body)
    • http://www.halo.hoteltravelpro.xyz/wp-content/themes/twentyfifteen/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.kattugla.no/wp-content/themes/twentythirteen/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.blog.interofficesuperwisdom.com/rtypisjw/sotpie/mod_filezipr.phpIn document text (OLE body)
    • http://www.curryleaf.co.in/wp-admin/css/colors/ocean/mod_filezipr.phpIn document text (OLE body)
    • http://www.ahmedtalat.com/wp-content/plugins/ql-addons/post_types/mod_filezipr.phpIn document text (OLE body)
    • http://www.patrol.hakancelik90.tk/wp-content/plugins/js_composer/locale/mod_filezipr.phpIn document text (OLE body)
    • http://www.ibercomic.com/wp-content/themes/twentysixteen/genericons/mod_filezipr.phpIn document text (OLE body)
    • http://www.thammyhk.com/wp-content/plugins/contact-form-7/images/mod_filezipr.phpIn document text (OLE body)
    • http://www.tuinontwerp-caspers.nl/blog/wp-content/uploads/2018/mod_filezipr.phpIn document text (OLE body)
    • http://www.letswonderholidays.com/wp-admin/css/colors/coffee/mod_filezipr.phpIn document text (OLE body)
    • http://www.m2atech.ma/wp-content/plugins/LayerSlider/wp/mod_filezipr.phpIn document text (OLE body)
    • http://www.avto-is.40rus.com/administrator777/components/com_search/models/mod_filezipr.phpIn document text (OLE body)
    • http://www.jobs.iekaridaias.gr/wp-content/themes/twentysixteen/inc/mod_filezipr.phpIn document text (OLE body)
    • http://www.guzhengchina.cn/wp-content/uploads/2018/08/mod_filezipr.phpIn document text (OLE body)
    • http://www.pirateclubcr.com/wp-content/themes/twentyfifteen/js/mod_filezipr.phpIn document text (OLE body)
    • http://www.brotherzam.com/wp-content/plugins/products-post-type/includes/mod_filezipr.phpIn document text (OLE body)
    • http://www.noithattdc.com/wp-content/cache/et/87/mod_filezipr.phpIn document text (OLE body)
    • http://www.gymotg.com/wp-content/themes/athlete/metaboxes/mod_filezipr.phpIn document text (OLE body)
    • http://www.artone.mocksitetest.com/wp-content/plugins/contact-form-7/includes/mod_filezipr.phpIn document text (OLE body)
    • http://www.nhaplus.net/wp-content/plugins/count-per-day/locale/mod_filezipr.phpIn document text (OLE body)
    • http://www.medic2.mocksitetest.com/wp-content/themes/betheme/js/mod_filezipr.phpIn document text (OLE body)
    • http://www.haridai.com/Xkeuangan/system/core/compat/mod_filezipr.phpIn document text (OLE body)
    • http://www.lovemelos.com/wp-includes/js/tinymce/langs/mod_filezipr.phpIn document text (OLE body)
    • http://www.allday360.com/wp-content/plugins/newsletter/emails/mod_filezipr.phpIn document text (OLE body)
    +1020 more URL(s)