Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 11a4c65046450315…

MALICIOUS

Office (OOXML)

19.0 KB Created: 2018-01-19 18:41:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-05-16
MD5: 3a8cf174511ed0e09534332f7244ac33 SHA-1: 266682f828d28cef4640eaa82b4f5d355829317b SHA-256: 11a4c6504645031597cf3d20b380cb1fe08bd26b5f4c57e4f93a76814cf2d8ce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a malicious DDE command that, when executed, attempts to run a PowerShell command. This PowerShell command is designed to download a second-stage payload from a provided URL and execute it. The DDE command itself is obfuscated using SET and QUOTE fields, which reconstructs the command string. The presence of external hyperlinks and the DDE execution strongly indicate a malicious intent to download and run further malicious content.

Heuristics 5

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: powershell
  • Word field-chain (SET/REF) co-located with DDE high OOXML_FIELD_SET_REF_CHAINING
    2 SET/REF variable pair(s) co-occur with DDE field(s) in word/document.xml
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: http://ckattrans.spb.ru/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://ckattrans.spb.ru/Document hyperlink
    • https://spb.hh.ru/employer/600756Document hyperlink
    • https://spb.hh.ru/employer/995956Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.