Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 18ed3378b6a0650f…

MALICIOUS

Office (OOXML)

20.3 KB Created: 2017-10-27 22:23:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-11-22
MD5: 2b47c3c9d62cdbdf5d0c455935ea3488 SHA-1: 8fe7cba01ed9a17251e22aa0ccf4fa0a1ae5bc32 SHA-256: 18ed3378b6a0650f9bc6b56517081e26d47520fa7454c1b11b6a5665c59399e7
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample utilizes DDE fields with quoted ASCII integer payloads to construct and execute a command. The decoded command is 'C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\cmd.exe', which is then likely used to launch 'cmd /c powershell -w hidden'. This indicates an attempt to download and execute a second-stage payload, characteristic of a macro-based downloader.

Heuristics 4

  • Field QUOTE with ASCII-integer command payload critical OOXML_FIELD_QUOTE_ASCII_PAYLOAD
    QUOTE field in word/document.xml carries a decimal-ASCII byte sequence that decodes to a shell command referencing cmd
  • Word field-chain (SET/REF) co-located with DDE high OOXML_FIELD_SET_REF_CHAINING
    3 SET/REF variable pair(s) co-occur with DDE field(s) in word/document.xml
  • DDE field low OOXML_DDE
    DDE (Dynamic Data Exchange) field found in word/document.xml. The command does not reference a known-dangerous executable, but DDE can be abused for code execution.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://products.aspose.com/words/In document text (OOXML body / shared strings)