MALICIOUS
624
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1203 Exploitation for Client Execution
The sample leverages an Ole10Native package to drop and execute a payload, indicated by critical heuristics like 'OFFICE_PACKAGE_SCRIPT_DROPPER' and 'OFFICE_PACKAGE_RISKY_FILE'. The document body contains lures for clipboard command execution and requests for recovery secrets, suggesting a phishing or social engineering attack. The embedded Ole10Native package likely downloads and executes a second-stage payload from URLs such as http://llvm.org/git/clang.git, which is a common dropper behavior.
Heuristics 16
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Doc.Dropper.Agent-6527183-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6527183-0
-
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPERThe OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
PEB access via GS segment (x64) high SC_PEB_ACCESS_X64PEB access via GS segment (x64)
Disassembly
x86 disassembly · validity: code (0.969) — 5/5 branch targets land on an instruction boundary (100% coherence)000C7892 65488b042560000000 mov rax, qword ptr gs:[0x60] 000C789B 8b90bc000000 mov edx, dword ptr [rax + 0xbc] 000C78A1 c1ea08 shr edx, 8 000C78A4 f6c201 test dl, 1 000C78A7 7511 jne 0xc78ba 000C78A9 ff15bef10100 call qword ptr [rip + 0x1f1be] 000C78AF 488bc8 mov rcx, rax 000C78B2 8bd3 mov edx, ebx 000C78B4 ff1543f40100 call qword ptr [rip + 0x1f443] 000C78BA 8bcb mov ecx, ebx 000C78BC e80c000000 call 0xc78cd 000C78C1 8bcb mov ecx, ebx 000C78C3 ff151cf10100 call qword ptr [rip + 0x1f11c] 000C78C9 cc int3 000C78CA cc int3 000C78CB cc int3 000C78CC cc int3 000C78CD 48895c2408 mov qword ptr [rsp + 8], rbx 000C78D2 57 push rdi 000C78D3 4883ec20 sub rsp, 0x20 000C78D7 488364243800 and qword ptr [rsp + 0x38], 0 000C78DD 4c8d442438 lea r8, [rsp + 0x38] 000C78E2 8bf9 mov edi, ecx 000C78E4 488d1526d9f6ff lea rdx, [rip - 0x926da] 000C78EB 33c9 xor ecx, ecx 000C78ED ff .byte 0xff 000C78EE 15 .byte 0x15 000C78EF ea .byte 0xea 000C78F0 f1 int1 000C78F1 01 .byte 0x01
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
VBA project contains no executable statements info OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://malware-click.in/ In document text (OLE body)
- http://ocsp.usertrust.com0Embedded OLE package script
- https://secure.comodo.net/CPS0FEmbedded OLE package script
- http://ocsp.comodoca.com0In document text (OLE body)
- http://www.usertrust.com1In document text (OLE body)
- https://www.bdc.ca/PublishingImages/sections/header_section_home_en.pngIn document text (OLE body)
- http://llvm.org/git/clang.gitEmbedded OLE package script
- http://llvm.org/git/llvm.gitEmbedded OLE package script
- https://www.chiark.greenend.org.uk/~sgtatham/putty/Embedded OLE package script
- http://schemas.microsoft.com/SMI/2005/WindowsSettingsEmbedded OLE package script
- http://crl.usertrust.com/AddTrustExternalCARoot.crl05Embedded OLE package script
- http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0wEmbedded OLE package script
- http://crt.comodoca.com/COMODOSHA256CodeSigningCA.crt0$In document text (OLE body)
- http://crl.usertrust.com/UTN-USERFirst-Object.crl05In document text (OLE body)
- https://www.chiark.greenend.org.uk/~sgtatham/putty/0In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 381 bytes |
SHA-256: 31ab247ed62fba8b597fa2164d1395b7aeab6274697a3e6aaf9e15951143c0c2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "CheckBox1, 0, 0, MSForms, CheckBox" Attribute VB_Name = "NewMacros" |
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1586760197/Ole10Native | 854357 bytes |
SHA-256: da9f6e6b05a81287501afab52df843bf82a2fffeaeda2b48d4c9964fd89b6724 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: ShellExecuteA, CreateProcessA, ExitProcess, CreateFileW, CreateThread, GetProcAddress
|
|||
ole10native_00_putty.exe |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1586760197/Ole10Native; display_name=putty.exe; full_path=C:\Users\vlam\AppData\Local\Temp\putty.exe; temp_path=; def_file= | 854072 bytes |
SHA-256: 7afb56dd48565c3c9804f683c80ef47e5333f847f2d3211ec11ed13ad36061e1 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_SHELLEXEC, SC_STR_CREATEPROCESS Static shellcode analysis recovered API/import strings: ShellExecuteA, CreateProcessA, ExitProcess, CreateFileW, CreateThread, GetProcAddress
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.