MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample utilizes DDE fields with quoted ASCII integer payloads to construct and execute a command. The decoded command is 'C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\cmd.exe', which is then likely used to launch 'cmd /c powershell -w hidden'. This indicates an attempt to download and execute a second-stage payload, characteristic of a macro-based downloader.
Heuristics 4
-
Field QUOTE with ASCII-integer command payload critical OOXML_FIELD_QUOTE_ASCII_PAYLOADQUOTE field in word/document.xml carries a decimal-ASCII byte sequence that decodes to a shell command referencing cmd
-
Word field-chain (SET/REF) co-located with DDE high OOXML_FIELD_SET_REF_CHAINING3 SET/REF variable pair(s) co-occur with DDE field(s) in word/document.xml
-
DDE field low OOXML_DDEDDE (Dynamic Data Exchange) field found in word/document.xml. The command does not reference a known-dangerous executable, but DDE can be abused for code execution.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- https://products.aspose.com/words/In document text (OOXML body / shared strings)
Open this report in the interactive analyzer, or submit your own file for analysis.