Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 02ec371868f200a7…

MALICIOUS

Office (OOXML) / .DOC

35.9 KB Created: 2013-12-23 23:15:00 UTC Authoring application: Microsoft Macintosh Word 14.0000
MD5: c3270905e2da14e91f14e8d679eb2334 SHA-1: adf117a33767ac638b5194c977fd926249ca360f SHA-256: 02ec371868f200a73be422bad4762884f6aec9932550b9a344db25d7a8f32ccc
162 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample contains a critical DDE AUTO command that executes cmd.exe to download and run a second-stage payload named 'revshell.exe' from the IP address 10.127.196.102. This payload is then saved as '%TEMP%\svc.exe' and executed. This indicates a clear intent to download and execute arbitrary code from a remote attacker-controlled server.

Heuristics 4

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\system32\\cmd.exe
  • ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://10.127.196.102:9090/revshell.exe
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/mac/office/2008/main
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.