Malicious Office (OLE) / .DOCX — malware analysis report

Static analysis result for SHA-256 905ef0ae8f5173b9…

MALICIOUS

Office (OLE) / .DOCX

71.5 KB Created: 2020-09-17 11:45:00 Authoring application: Microsoft Office Word First seen: 2021-03-01
MD5: e10c1a21e681896bf26f388f0f4df107 SHA-1: bcf5ae3a660e06ff7e1bc0890b210177515c52a7 SHA-256: 905ef0ae8f5173b917a4f39063346825f4b23ae75cb4b3190300cb064bd002b9
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document that embeds a batch file disguised as a PDF. The embedded batch file, named 'Preventive Measures.PDF.bat', is designed to be executed automatically, likely leading to arbitrary command execution on the victim's system. The document body is minimal, providing no further context on the lure.

Heuristics 2

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1661834250/Ole10Native 25885 bytes
SHA-256: bb3e08865313fd37bfca234fd1bb81d894d2ae39623b0aba861b0fbf3b952684
ole10native_01.bin ole-package OLE Ole10Native stream: ObjectPool/_1661834251/Ole10Native 25867 bytes
SHA-256: 06462c3701c5e7a1d623bdd7eb05b744d39acd7c58774f75f4276e83e31c17fe