Office (OOXML) malware analysis — malicious · 1c508c6c42e30d3c

MALICIOUS

Office (OOXML)

30.8 KB Created: 2014-08-06 07:56:10 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2021-02-23

MD5: 6d988e11ecb893e83d449ea9078958e8 SHA-1: 5d74e3c9c27f3ef2661922b7dcaeb639f4eb646f SHA-256: 1c508c6c42e30d3c77881f1122a41534eb604bdeac438959574bc2c649af37d1

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object. This object is identified as a package that drops an executable payload named 'Quxj.exe'. This indicates a likely attempt to deliver a secondary malicious executable to the victim's system.

Heuristics 2

Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: ppt/embeddings/oleObject1.bin	3584 bytes
SHA-256: `5bd12f1c1a8895c234db7fe0cdfdfdc15bc842f09eb985f624418c3cd4d1e202`
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: OLE10Native	1314 bytes
SHA-256: `da3bb44655d07e07f04ce3d62ee3f9dd6f5a4d3ae9d1a6a603591568f56d0196`
`ooxml_oleobject_00_ole10native_00_Quxj.exe`	ole-package-payload	OOXML ppt/embeddings/oleObject1.bin Ole10Native payload: display_name=Quxj.exe; full_path=Quxj.exe; temp_path=; def_file=	1209 bytes
SHA-256: `b2974b739234a161e1dfa7a83268d2a4cafe5c23276fd137477aa5045b98eee0`

Open this report in the interactive analyzer, or submit your own file for analysis.