Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 af648e77730fcf3a…

MALICIOUS

Office (OOXML) / .DOC

201.7 KB Created: 2021-03-05 07:12:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: ab03ba4879a8aa0ec667c3d9a122a426 SHA-1: 1e7ffc02ce4cf23165733cd44db6f1cbfcc1f54a SHA-256: af648e77730fcf3afd385bd82362be3b099b5b30c9a38815b106939336252a5b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a Microsoft Office document containing an embedded OLE object. Heuristics indicate this object is a risky file type, specifically a JAR file, suggesting it's intended to deliver a secondary payload. The embedded artifact is identified as an OLE package, further supporting the delivery mechanism. No specific family is identified due to the lack of further analysis on the embedded object.

Heuristics 4

  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
18a64f862c3b014ca0355adbe7594fb9929782d0b878a9bf549d9fc840a8c485		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 194048 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
58e4ab0f1201f7668a7c30765cadffcc5ad88f658447255cf930755e8dac5f93		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 190223 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
emf_00.emf
0fe227a6476cf2d923edd6a2bf8a98fad9865649bacd0d43d642435c16111b68		 ooxml-emf OOXML EMF part: word/media/image2.emf 5148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.