Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b3106aaee8226769…

MALICIOUS

Office (OLE)

10.0 KB First seen: 2015-09-21
MD5: 154de785931e7f7aa3d53e25249b1bf0 SHA-1: e41c9bdf7dc1b659df766528f5f6e6fabd214f15 SHA-256: b3106aaee82267690961893e487a050a5236a3606dd8aa6a3c96f2498630cc59
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious due to the critical heuristic firing indicating an OLE package that drops an auto-executable payload. This payload is specifically the EICAR test signature, a standard method for verifying antivirus functionality. The embedded file is named 'eicar.com', which is a direct IOC.

Heuristics 2

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: MBD00065FB8/Ole10Native 317 bytes
SHA-256: 2fd88ddf92804d289db4fdf341738339cda0e9453ae5ed04ca68e1e5d583b5dd