MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1027 Obfuscated Files or Information
The sample is a malicious Office document containing embedded OLE objects. One heuristic indicates that an 'Ole10Native' package drops an auto-executable payload named 'abuser1337.scr'. This suggests the document is likely a lure to trick the user into opening it, leading to the execution of a malicious screen saver file.
Heuristics 3
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 285184 bytes |
SHA-256: 81b1e3d3599b5defa47dc6556855d719e23a4595e1531914e8ee572c25a83ee5 |
|||
ooxml_oleobject_00_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native | 280373 bytes |
SHA-256: 18afceb5f2924c266c028892a41370b1442c47e985eba38008ab2b73be621e80 |
|||
ooxml_oleobject_01.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject5.bin | 285184 bytes |
SHA-256: e8e35181655062fa829ed81dfddc5134dee28236c216368b49ea7c14bcc6394c |
|||
ooxml_oleobject_01_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject5.bin Ole10Native stream: Ole10Native | 280352 bytes |
SHA-256: a953f1395ca6afc7950f073c786b2713f9b7e6dffa9060f514da51f835063fc3 |
|||
ooxml_oleobject_02.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject4.bin | 285184 bytes |
SHA-256: f14c0e36d7f5ec27b4455c879c4f2810704ef4c5b208d1aeeb6e410150d4d6a6 |
|||
ooxml_oleobject_02_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject4.bin Ole10Native stream: Ole10Native | 280334 bytes |
SHA-256: 20dee08eac7018ffa37d93ab71b6b163e126d01c18a34382f9876fb12f215c90 |
|||
ooxml_oleobject_03.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject2.bin | 285184 bytes |
SHA-256: 23b7fb9edde0bf36b1f7d89c57afa5871faea5f056c4cbd0e3881969b3905ab2 |
|||
ooxml_oleobject_03_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native | 280364 bytes |
SHA-256: 79584630032de0d76450ea4578599633d414c786b3a9f9a5a1bece62d6502f58 |
|||
ooxml_oleobject_04.bin |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject3.bin | 285184 bytes |
SHA-256: e9938406203006bddb3c6a86709ae85c7a337ad24e3f699e08820a0864dff8bb |
|||
ooxml_oleobject_04_ole10native_00.bin |
ole-package | OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native | 280400 bytes |
SHA-256: 1fa0eefd5e46e373f92759f76d54a45917489894c714552d6911267b08cff70a |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: word/media/image1.emf | 5016 bytes |
SHA-256: 94debb0a77c23c35a66878ece76388dc4d5c1b0e1df656e7250eef303300f3db |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: word/media/image4.emf | 5060 bytes |
SHA-256: 5a5c0c676c7d1aa7797225b8e1b259a4352d8f4212ecd668298b378c79287f01 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: word/media/image5.emf | 5084 bytes |
SHA-256: 1f40bf6b03e9abfe06f6746eb2882be7fcee7a8506a3416e10933f8752645f36 |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: word/media/image3.emf | 5036 bytes |
SHA-256: 690bd839c723a9dcadaa961ead9515751d44b87211d95603210d5f55700be671 |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: word/media/image2.emf | 5012 bytes |
SHA-256: 9d2dbc166a7f248c16bf5489e6e3e444aa875e21536cf94d078d042607534630 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.