Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ef4a4319b9c37c1f…

MALICIOUS

Office (OLE)

815.5 KB First seen: 2017-05-13
MD5: a8e700492e113f73558131d94bc9ae2f SHA-1: b5684384c8028f0324ed7119f6abf379f2789970 SHA-256: ef4a4319b9c37c1f05a4cbfb136c0eaf4a05476028d40a2a6bb07afc567f0f88
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an encrypted Office document, which is a common tactic to evade static analysis and hide malicious content. ClamAV detection as 'Doc.Dropper.Agent-1847916' strongly suggests its purpose is to download and execute a second-stage payload. The encryption prevents analysis of the document body or any embedded scripts.

Heuristics 2

  • ClamAV: Doc.Dropper.Agent-1847916 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1847916
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).