Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aa1ff5d3f02da830…

MALICIOUS

Office (OLE)

21.0 KB Created: 2015-07-07 21:43:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: cb8e88b4d40d387b9ec0d80435d862b5 SHA-1: cc04106504179e2c8bb407f19e689c88e302a145 SHA-256: aa1ff5d3f02da830e3cc5bef776fa1545fac9a1eed246cd511ac0f9c5b24e654
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains references to PowerShell and Windows Script Host, suggesting it may attempt to execute scripts. The embedded URL http://techdallas.xyz/dl.php is likely used to download and execute a second-stage payload. The document body's mention of 'EMBED Package' indicates a lure related to package delivery to trick the user into opening the malicious attachment.

Heuristics 3

  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://techdallas.xyz/dl.php In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.