Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 060f239816b68f60…

MALICIOUS

Office (OOXML)

33.3 KB Created: 2013-01-24 09:07:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2017-11-13
MD5: e62a1fa96a37c735581101e8723fb2d0 SHA-1: 942eeeef776d9fedc264ec151284522d617b2c53 SHA-256: 060f239816b68f603ea16248d8670e12176c3bca32192c4cc7046c68ecaefc7f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious OOXML document containing an embedded OLE object, indicated by the 'OOXML_OLE_OBJECT' heuristic. The 'OOXML_EXTERNAL_REL' heuristic firing points to an external relationship, specifically a file path that may be used to load malicious content. This suggests the document is likely a spearphishing attachment designed to trick the user into interacting with the embedded object, leading to further exploitation.

Heuristics 3

  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///D:\Мои документы\03_ПРИКАЗ.dotx
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Word_97_-_2003_Document1.doc 24064 bytes
SHA-256: 038581c2eaba83032b99efdff7957762b0c8014e715f3183918e113f6e9144e1
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 1816 bytes
SHA-256: 6f073304ea3c8d18991ebb27f8b2d71c093e71a714ff2523a5e528b410a45f6b

Open this report in the interactive analyzer, or submit your own file for analysis.