Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 bfbcd4cc4172bb76…

MALICIOUS

Office (OOXML) / .DOC

293.0 KB Created: 2022-09-15 08:44:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2022-09-16
MD5: e566dd4af38e1e451f64f64999e812f1 SHA-1: 31b6d8b5f15505664e51125f51c7ed79f47c4eae SHA-256: bfbcd4cc4172bb7685b8bfeeabf7ebad9a001e958fc0c95e8e7cdf3b23f5a6e5
84 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The file contains an embedded OLE object, identified as a risky file type that drops an auto-executable payload. The heuristic 'OFFICE_PACKAGE_RISKY_FILE' specifically flags this behavior, indicating the embedded object is intended to execute automatically. The extracted artifacts, including the OLE object and its native representation, are the primary indicators of this malicious functionality.

Heuristics 4

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7d072154ac3e7d5d8001b68bfaaddb4fe8952c2a83f1b11bea9885848814ed71		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 190976 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
aede29252dcf2b0aba8b2a8476f22819893aba4eeeece7aeb84cc6d766ec0826		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 186876 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
emf_00.emf
bb4c6994fd28779fc9959b363f2491bc550690ff0a309993b2d31eb919241aa5		 ooxml-emf OOXML EMF part: word/media/image3.emf 5464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.