Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 0a6cee8cd4ad8f24…

MALICIOUS

Office (OOXML) / .DOC

327.2 KB Created: 2021-02-18 08:03:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: de4f9bab64f8485f4ece905416029347 SHA-1: 4050edeb338d5d8194f26e542c99feb3d8a9de59 SHA-256: 0a6cee8cd4ad8f24004b511c4f0b77b07f11ee601b7077fa53d54c398576db75
144 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains an embedded OLE object and an external OLE object relationship pointing to http://5.39.217.221/win/document.doc. This is strongly indicative of exploitation for client execution, likely via CVE-2017-8759, which is a known vulnerability related to RTF and OLE object processing. The embedded OLE object itself is a high-entropy artifact, suggesting it contains malicious content.

Heuristics 6

  • OOXML OLE2Link remote document — CVE-2017-8759 related high CVE related CVE_2017_8759_RELATED
    Document contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.
  • OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART
    The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
  • External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT
    Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://5.39.217.221/win/document.doc
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5de97d641e51bd927530ccdb2ec0f89850ade4429ea1f7daaeb25cc93ed0dcf4		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Word_97_-_2003_Document1.doc 134656 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.47, consistent with packed or encrypted content.
emf_00.emf
351db31370785d9b5db08497d519f01d5d1282155a2629a35285c115977f0e99		 ooxml-emf OOXML EMF part: word/media/image2.emf 41820 bytes
emf_01.emf
b0896c877eea496981e17fb25a0546f645e2cd4812c7fe0987df1578c917d222		 ooxml-emf OOXML EMF part: word/media/image1.emf 1126952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.