Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 87b1b71337ae7bc2…

MALICIOUS

Office (OLE) / .DOCX

36.5 KB Created: 2019-11-18 21:34:00 Authoring application: Microsoft Office Word First seen: 2021-03-01
MD5: 625cf5743fc703833c78842312950c00 SHA-1: 981fbf82e2c96f5c106b8727a5fc1b15bf7918ad SHA-256: 87b1b71337ae7bc237d677fd6559ea6432facb27252fcefcac24bb6132ae8ac8
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing an OLE package that drops a batch file named 'LIST OF JOBS.PDF.bat'. This batch file is likely intended to be executed by the user, posing as a PDF document. The embedded URL was confirmed benign and no scripts were extracted.

Heuristics 2

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1635708847/Ole10Native 17532 bytes
SHA-256: 6017e9584a2347d9409d7d839d8ae5377a1387480239b4b8f0145cfc80fb5c4b

Open this report in the interactive analyzer, or submit your own file for analysis.