Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 87eecafd6f81d9e5…

MALICIOUS

Office (OOXML) / .DOC

320.4 KB Created: 2021-05-15 09:57:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: ae0a28f48bc960b8a58ed498843b4d22 SHA-1: 0206727ae4b8ebcf7026cf1f3af3c224eaeaeb8d SHA-256: 87eecafd6f81d9e5ac2e39c570ac20ee9400f55fc82415c7d8eaa8605f7e0ead
69 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a malicious OOXML document containing an embedded OLE object. Heuristics indicate this object is a package carrying an executable or script file, specifically a JAR file. No document body text was available for analysis, and no scripts were extracted. The primary attack vector appears to be the exploitation of embedded object handling within Microsoft Office.

Heuristics 4

  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
74d8349d1034caf582e13b6e0be77132f42061363bba5986a5a5d981de57b267		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 320512 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
1c14a6bbeef4df27c8583b235df21844ffcd9b3cd6f46d7dfd47040c26a328da		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 315671 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
emf_00.emf
6790b1bba3317a0a16cdd11fb124cfb389093facf4dba2ff9a7cc69fac890b80		 ooxml-emf OOXML EMF part: word/media/image2.emf 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.