Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 021bb3d0311a8409…

MALICIOUS

Office (OOXML)

527.3 KB Created: 2019-05-27 22:54:04 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-07-24
MD5: 5e97e0f3ccceb56d1615e9b6fef109ea SHA-1: fac5a7e8f357e46aec4191f5efc2a68657ce10f3 SHA-256: 021bb3d0311a840993ce41486b0e916cbac60e7c1eb720a37e11045bdc760d54
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing an embedded OLE object, identified as an Equation Editor object. This object is associated with a URL, http://theabandonedstory.co.uk/file/obi.exe, which likely hosts a secondary payload. The presence of the embedded object and the associated URL strongly suggests an attack pattern involving spearphishing, where the document acts as an attachment to lure the user into executing a malicious file.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theabandonedstory.co.uk/file/obi.exe In document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 537600 bytes
SHA-256: deaff0220cf5b8e836417a0a99671fd759d0eb75b0ae27f52687ae14bf317fa6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.