Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e1b8ceb10a3607c0…

MALICIOUS

Office (OLE)

125.6 KB First seen: 2019-11-20
MD5: aaf5dbb4c8bd7fcd703b70c797a9ee48 SHA-1: 87215b18cb5e8ef5ace87911bbb92dd18e937efc SHA-256: e1b8ceb10a3607c063af6924680872f3ece03215893cecf46a74d4165c175fbd
104 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature Doc.Malware.Emodldr-10025032-0. A heuristic firing indicates a reference to Windows Script Host, suggesting the execution of scripts. Although VBA macros could not be extracted due to an unsupported format, the presence of WScript references points towards an attempt to run malicious code, likely a downloader or dropper.

Heuristics 4

  • ClamAV: Doc.Malware.Emodldr-10025032-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Emodldr-10025032-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    The Analyzer could not extract VBA macros: the document may be legacy, encrypted or malformed.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.