Win.Dropper.XtremeRAT-9995740-0 Office (OLE) / .DOC malware analysis — malicious · 73969152c8f24282

MALICIOUS

Office (OLE) / .DOC

276.0 KB Created: 2020-02-28 03:49:00 Authoring application: Microsoft Office Word

MD5: 366a58f8429f0b50b86c5f24f04c99d1 SHA-1: d465033838d9168cd053873776a2da344913898e SHA-256: 73969152c8f24282f45900d73080334fbe498c96c60b15d72a72ebe0560e7e05

382 Risk Score

Malware Insights

Win.Dropper.XtremeRAT-9995740-0 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro, which is designed to execute an embedded OLE package. This package is identified as containing a Portable Executable (PE) file, likely the primary payload. The ClamAV detection name 'Win.Dropper.XtremeRAT-9995740-0' strongly suggests the family and its dropper functionality. The document also contains a lure to execute clipboard content, further indicating malicious intent.

Heuristics 9

OLE with Ole10Native — possible CVE-2026-21514 exploitation high CVE likely CVE_2026_21514

Document contains a Word OLE object with Ole10Native plus executable, PE, or risky remote-link indicators. CVE-2026-21514 exploits OLE metadata validation; this stronger structure is treated as likely exploitation.
Embedded PE executable critical OLE_EMBEDDED_EXE

MZ/PE header found inside document — possible embedded executable
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
ClamAV: Win.Dropper.XtremeRAT-9995740-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Dropper.XtremeRAT-9995740-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE

Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml
- http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `097c54ab9fcd7746ec8bda24edbb0a5d79ba6d7f69f2169b4ee3b6a55f276b5a`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	649 bytes
`embedded_office_0000f8b0.exe` `aaa05a970a9b79a8a236e6cbf0c8a63dd0c5c2e2669b5b3f2d57c161e450ab7f`	embedded-pe	Office MZ+PE at offset 0xF8B0	218960 bytes
Detection ClamAV: Win.Dropper.XtremeRAT-9995740-0 Obfuscation or payload: unlikely
`ole10native_00.bin` `5b3f9b081585451a88a0c60c8a9fa16a3f0ff54c08ccea348d80a67eadb457ab`	ole-package	OLE Ole10Native stream: ObjectPool/_1690984092/Ole10Native	197106 bytes
Detection ClamAV: Win.Dropper.XtremeRAT-9995740-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.