MALICIOUS
204
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1137.001 Office Application Startup: VBA
T1204.002 Malicious File: User Execution
The document contains a lure for Steam accounts, which is a common tactic for social engineering. Critical heuristics indicate that an embedded OLE object drops an auto-executable payload named 'img12.scr'. This payload is detected by ClamAV as 'Win.Trojan.Agent-1246306', suggesting it's a malicious agent designed to be executed by the user.
Heuristics 5
-
ClamAV: Win.Trojan.Agent-1246306 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Agent-1246306
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URLAn embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- https://steamcommunity.com/profiles/In document text (OOXML body / shared strings)
Extracted artifacts 26
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject12.bin | 610816 bytes |
SHA-256: a95625434c85dd417a5861db07f4f7146fb9cfe4b9dbad148375e01641ba89dd |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_00_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject12.bin Ole10Native stream: Ole10Native | 603355 bytes |
SHA-256: 4cbcbc713a8b6f226015c95bb5c5e8caf02b93fbf03ee261ab1c7e86a5d1e054 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_01.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject10.bin | 610816 bytes |
SHA-256: 360e33f857a106e2585c039bc6e4adbd21d5a6a946e6674f2c573e6c35d03352 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_01_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject10.bin Ole10Native stream: Ole10Native | 603355 bytes |
SHA-256: 30b004f24f7efad17be4802b472c8f74ad7857949400aee22a92ee8efba3781f |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_02.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject7.bin | 610816 bytes |
SHA-256: f1a81590b740656c3adc7039c9722308ac83ab0a38a48ff556fc55c72fd7d422 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_02_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject7.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: 4fa0b171919d0201f2d2c6208da4f322b758764e71337d17da4ca1f09a5b5c66 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_03.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject13.bin | 610816 bytes |
SHA-256: 12953b1fe2685637ab9897f00b6907b3cf7f03e7d358852da2fc108b2abd3229 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_03_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject13.bin Ole10Native stream: Ole10Native | 603355 bytes |
SHA-256: 74be58c25e46c6bd134f543f582f7a4bc7ab3f8eafaeb01b975f7571e10a681f |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_04.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject5.bin | 610816 bytes |
SHA-256: c8df2596f1b80cf16e7a31e5686d9c8773665da630f5c4d4da2b78038cc2bd22 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_04_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject5.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: 1c1aefb17c34d6ce268c24fd72035602ac73681c39ff2a72d239df5e6b80e730 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_05.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject2.bin | 610816 bytes |
SHA-256: e153a7c99e63475cd2e5c1a80a5820eb6d6143c9902b8b1c90c09bb784799970 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_05_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: 200b11cf04118147543858efdc23862b4b53c7ac9a077f49d3789371da538208 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_06.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 610816 bytes |
SHA-256: e0bf07b623a224fae6761b46475a282bca9a741629108bef67f01a9dd13bf18a |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_06_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native | 603358 bytes |
SHA-256: fdee7fa235c84a9de65b7042e4ba10abd666a91e537bf7274ad99cffa12fa95d |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_07.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject4.bin | 610816 bytes |
SHA-256: 69fdc85bec8a233c6d17f1e720951abd216bc9216d44519957f9ad81b56af2d0 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_07_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject4.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: f2388ce242e26182618ebf16492779a51cb6a71f25e66a465e1da67f984124b9 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_08.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject8.bin | 610816 bytes |
SHA-256: 374b02a83d07950cfa2fab7de526f1b125ccc90794b50f8f9a3265b53141b629 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_08_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject8.bin Ole10Native stream: Ole10Native | 603358 bytes |
SHA-256: a9ac22667968d0a8767ada813527150d959881640a5c7f0fad98c28c5402cc9c |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_09.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject11.bin | 610816 bytes |
SHA-256: 0816d3626b43ed14d52ca3f3c26efd15ba422d791053c1ddc15b767d2e408249 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_09_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject11.bin Ole10Native stream: Ole10Native | 603355 bytes |
SHA-256: 991097b1b7f663b106ac6dfd4b31c9ca540da358317d6837eac1cf5e71aa6b1b |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_10.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject6.bin | 610816 bytes |
SHA-256: 151d0a649df6be9d070c7b968a22018fe8b49fdecbd8a6f2bbc90ab2d77270ed |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_10_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject6.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: 641bb997131e18b3460230bb7c21b4150b4f6566f14607306fa0ce178d8a6949 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_11.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject3.bin | 610816 bytes |
SHA-256: 514ef841b7126a2772ccecb7aeac1ae0bad6f3038fc6b35bf762032b5112e8c8 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_11_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: a85ea51f13c724a6affbb1a69df242f4a2affa25a554ef9faf4a5796c5d29e9d |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_12.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject9.bin | 610816 bytes |
SHA-256: 2b2f2f42a9ac9b118e8f670bf3e3a39023560226a2352bb9d9067a6b9e609f5f |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
ooxml_oleobject_12_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject9.bin Ole10Native stream: Ole10Native | 603346 bytes |
SHA-256: c506abe433bfcb94ef069b7b8320ca32a2306ea1937653ed4b221f03df8cb1c7 |
|||
|
Detection
ClamAV:
Win.Trojan.Agent-1246306
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.