Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a2d7f63c0adb3b1f…

MALICIOUS

Office (OLE)

213.8 KB Created: 2018-07-19 05:29:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: b12bd4d339e76452fa5bac76ec21aa71 SHA-1: ec4cf81dcd4d71c4140c7bd432bcbbc8acbc9cf6 SHA-256: a2d7f63c0adb3b1f3a733290ac46691dabe2e2069384fc1d3d1dec8b0a4a0328
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is detected as a malicious dropper by ClamAV, suggesting it is designed to download and execute additional malware. The document format is unsupported for VBA extraction, and the document body is heavily obfuscated, preventing a more detailed analysis of its specific lure or payload delivery mechanism. The presence of a benign URL does not detract from the malicious nature indicated by the ClamAV detection.

Heuristics 3

  • ClamAV: Doc.Dropper.Agent-6857723-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6857723-0
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (IndexError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.