Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fb069816c7442f3e…

MALICIOUS

Office (OLE)

47.0 KB Created: 2018-01-23 20:01:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 1218bb15faffb54a8d8cb9b963e16f23 SHA-1: 44baf0301973d626bae3dcf493b578d09f8293a3 SHA-256: fb069816c7442f3e81ca5cbf14fcb1459d2a4967002903ff4d321cc8d1be341b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The document contains a DDEAUTO command that attempts to execute MSBuild.exe with a remote XML file as an argument. This technique is commonly used to download and execute malicious payloads. The presence of the DDEAUTO command and the execution attempt strongly suggests exploitation for client execution, likely delivered via spearphishing.

Heuristics 2

  • ClamAV: Doc.Exploit.DDEautoexec-6352494-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6352494-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.