Win.Dropper.DarkKomet-9964717-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 11dc4ea3804dfc11…

MALICIOUS

Office (OOXML)

242.2 KB Created: 2013-01-24 11:29:48 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2015-09-23
MD5: 472594e9cd11bbc6cdaabb78f5b7e180 SHA-1: 9e4371680d82400090ea3cd1f997d37807087d8b SHA-256: 11dc4ea3804dfc11ef34b6478d5c2a079d2f5cb6f7b09cec38d269796cf4eeef
264 Risk Score

Malware Insights

Win.Dropper.DarkKomet-9964717-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is identified as a malicious dropper by ClamAV, specifically Win.Dropper.DarkKomet-9964717-0. It contains an embedded OLE object that functions as a package payload, designed to download and execute a second-stage payload named 'Adobe Flash Player.exe' from URLs including http://www.usertrust.com1. This indicates a typical spearphishing attachment delivery mechanism followed by an attempt to download and run further malicious content.

Heuristics 6

  • ClamAV: Win.Dropper.DarkKomet-9964717-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Dropper.DarkKomet-9964717-0
  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (11 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.usertrust.com1 Embedded OLE package script
    • http://ocsp.usertrust.com0Embedded OLE package script
    • https://secure.comodo.net/CPS0AEmbedded OLE package script
    • http://ocsp.comodoca.com0In document text (OOXML body / shared strings)
    • http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=61601&lngWId=1In document text (OOXML body / shared strings)
    • http://ocsp.comodoca.com0(In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/exif/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://www.iec.chIn document text (OOXML body / shared strings)
    • http://crl.usertrust.com/AddTrustExternalCARoot.crl05Embedded OLE package script
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl05Embedded OLE package script
    • http://crl.usertrust.com/UTN-USERFirst-Object.crl0tEmbedded OLE package script
    • http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%Embedded OLE package script
    • http://crl.comodoca.com/COMODOCodeSigningCA2.crl0rEmbedded OLE package script
    • http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 353792 bytes
SHA-256: 3ba01f64c96dc3bd8919dbeefd92fdc497b7b9355467a9cf0b9dd48027dd93c3
Detection
ClamAV: Win.Dropper.DarkKomet-9964717-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 348353 bytes
SHA-256: 8963089aade031749bc2b7433c5d18de8fe006456d34bd5695d290908dc459b2
Detection
ClamAV: Win.Dropper.DarkKomet-9964717-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.