Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 b47fd51389538222…

MALICIOUS

Office (OLE) / .DOC

243.5 KB Created: 2021-10-18 19:57:00 Authoring application: Microsoft Office Word First seen: 2021-10-23
MD5: 2870ffc563d32f1e0ab5f4a379fe74ce SHA-1: 273984c8481c70e8d83c8218752e274a0f92642b SHA-256: b47fd51389538222a45377b86c2c26d39b7603da970251802ba2d6fa2963417e
64 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is a Microsoft Office Word document containing an embedded OLE package. A high-severity heuristic indicates that this package carries an executable or script file, specifically identified by the '.jar' extension. This suggests the document is designed to drop and execute a secondary payload, likely a Java-based malware. The embedded URL is not malicious.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1696103040/Ole10Native 211669 bytes
SHA-256: 158c76ae3289dc6237de977306375559e81e423b99e29a77282c2334f07258c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
ole10native_00_h6tj1CrqcLrIYoSnVb7roh51QrKRMbevLNZkeDVsGdWKv78.jar ole-package-payload OLE Ole10Native payload: ObjectPool/_1696103040/Ole10Native; display_name=h6tj1CrqcLrIYoSnVb7roh51QrKRMbevLNZkeDVsGdWKv78.jar; full_path=C:\Users\MICROS~1\AppData\Local\Temp\{6BB9077E-AC39-4D12-A459-E7916BA77D39}\h6tj1CrqcLrIYoSnVb7roh51QrKRMbevLNZkeDVsGdWKv78.jar; temp_path=; def_file= 210727 bytes
SHA-256: a813705f7008c5f41f5a1b69ac0686079e1439bf8dc5d3e2910222422667976b

Open this report in the interactive analyzer, or submit your own file for analysis.