Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 abeb9ed173946d7a…

MALICIOUS

Office (OOXML) / .DOC

296.7 KB Created: 2021-10-26 12:16:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-10-27
MD5: 18f79559fb9321b3e0315707ac9789f9 SHA-1: 65120f86bc3acd222fa1239e58c2187ff9166399 SHA-256: abeb9ed173946d7a7e6662eacb5341b62b14fd32a4ad0604ab8614f1810a8788
69 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a Microsoft Office document containing an embedded OLE object. Heuristics indicate this object is a risky file type, specifically a JAR archive, which is often used to deliver malware. The embedded artifact is identified as an OLE package, suggesting it was designed to be executed or unpacked by the host application. The presence of this embedded executable within a document is a strong indicator of a malicious delivery mechanism.

Heuristics 4

  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8902d00de3460ea35762cc907e4d3dc39c2f9b3be7a7be4aea0fcc9249cbdea9		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 293376 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
900f67c54ca78f8b356dd9b5c02e0fb65542758b29442e8743de62f12371da88		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 288083 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
emf_00.emf
c4c94f740cf338fd446f68a5883b411d96701f4e042b1b60c6d23e947718dbdc		 ooxml-emf OOXML EMF part: word/media/image2.emf 5140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.