MALICIOUS
302
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1105 Ingress Tool Transfer
T1204.002 Malicious File
The sample is an Excel document containing an embedded executable payload disguised as an image to lure the user into clicking it. The embedded executable is dropped and executed, likely to download and run a second-stage payload. The document body text in Russian suggests a lure for viewing a receipt, which is a common social engineering tactic.
Heuristics 7
-
Embedded PE executable critical OLE_EMBEDDED_EXEMZ/PE header found inside document — possible embedded executable
-
Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPERThe OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/SMI/2005/WindowsSettings Embedded OLE package script
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_office_00000ca4.exe |
embedded-pe | Office MZ+PE at offset 0xCA4 | 221532 bytes |
SHA-256: 91c19dc5e1da33762cca228eac40793bc4674207e7eaa426e3e0c1030c63e6ef |
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD01939FD1/Ole10Native | 194618 bytes |
SHA-256: bd4626faaaffaa95de3d9229d2cf9f0800030ff18d96a20be5976756dd680901 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.