Office (OOXML) malware analysis — malicious · 2a3fb728cc6981b4

MALICIOUS

Office (OOXML)

9.50 MB Created: 2014-11-04 18:21:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2020-12-28

MD5: ad6064927abbc6073a465ea28597ad34 SHA-1: 92e66c24ade39dd92816aac7630ed06d09fcb545 SHA-256: 2a3fb728cc6981b4e2ed4f34fee31522dd8e54703d88f152fd328c097e50ecf5

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1129 Execution through API

The file is a malicious OOXML document containing embedded OLE objects. One of these objects is identified as an auto-executable payload, indicating the document's primary function is to deliver and execute malware. The presence of external hyperlinks and relationships further supports the malicious intent, likely for initial access via spearphishing.

Heuristics 5

Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
External relationship high OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: file:///C:\Documents and Settings\pkamani\Desktop\hbc\Design Specification - Design Name.dot
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
External hyperlinks (2) low OOXML_EXTERNAL_HYPERLINKS

Document contains 2 external hyperlinks — clickable URLs are stored as external relationships. First target: http://svnprdrk1p:9081/svn/sterlingrepos/WCC/tags/2014/OMSD2_201419121711
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://svnprdrk1p:9081/svn/sterlingrepos/WCC/tags/2014/OMSD2_201419121711 Document hyperlink

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	53248 bytes
SHA-256: `7d2290720edf3de836a6150a9fe5a695219f5d41a3da9310de4687cae8115d8b`
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	50287 bytes
SHA-256: `b6660d9dc16b6d61dc61a8ad1cb84d1c7ce978e8cae6d417ff03082cfc4ff90e`
`ooxml_oleobject_01.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject2.bin	13312 bytes
SHA-256: `d6d868df56a11ef60c018cf9d5b4bd7d0f8150708232a016d2f5056336fd4ac8`
`ooxml_oleobject_01_ole10native_00.bin`	ole-package	OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	10301 bytes
SHA-256: `13ef60e32c1b099d4cdcf08dcf4bb93d8151d9d880e272fdbeca3353133ee0e5`
`ooxml_oleobject_02.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls	159744 bytes
SHA-256: `c9b03a2752f7ec5775594b795734bc876c482897fda5ed17e7a3773941014794`
`ooxml_oleobject_03.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet4.xlsx	40576 bytes
SHA-256: `db323c380d9cbd3c0db1871e53a9274aa4a3b43d4854d20124906afa82a5a467`
`ooxml_oleobject_04.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet6.xls	71168 bytes
SHA-256: `c22c4225af3202ffc8b1fbcaafad4424a940384e55f5133152645f175a9e5f46`
`ooxml_oleobject_05.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet3.xlsx	37291 bytes
SHA-256: `544bfd53cb3bc96cf5b40353148529a36304574afaca8240e5ae1301af07357b`
`ooxml_oleobject_06.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet5.xls	391168 bytes
SHA-256: `3049880b09a041b0fca6e3a0920c0b4795b91780533300a9c3731a1cd0756142`
`ooxml_oleobject_07.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet4.xls	83456 bytes
SHA-256: `a8bd948b7e006ec4f6589b9be3425724e00351cd6c486fd0ad05b03aa8159f4e`
`ooxml_oleobject_08.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet7.xls	90624 bytes
SHA-256: `8450f54470979f254ec4cd4eef4a9af86539af653535dfbbeb164297e29c354f`
`ooxml_oleobject_09.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Word_Document2.docx	8388608 bytes
SHA-256: `24437e42c03a0687b47724c366908df7e22f9c3c68cf566f0e74fb4f15857aed`
`ooxml_oleobject_10.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet3.xls	83968 bytes
SHA-256: `35e1d14b84e98d6a16b5b1e599ac355363739b1e79dcc425e819475111eb4835`
`ooxml_oleobject_11.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet5.xlsx	42366 bytes
SHA-256: `94008283f9a298aaedf753d975b2814a98c67ff466d8a1f35e3ab59edc8e2326`
`ooxml_oleobject_12.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx	12304 bytes
SHA-256: `c1488d27dc5bede5c957f577c9e625d1feaee35ea0275b9f90d34ae22aeb9a34`
`ooxml_oleobject_13.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet8.xls	73728 bytes
SHA-256: `a795431c59286636a198081bb4afb8b0e637163e24849a4fa3ab6dbab8515a81`
`ooxml_oleobject_14.bin`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet2.xls	77824 bytes
SHA-256: `0d63dfbfb0f0c9b9f77309c5c266de5286cd03786c949b6ba2483a2b8027e49a`
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image12.emf	5612 bytes
SHA-256: `32e26be618804518d9b42aa84d1bfa912a5622980bb586de97e5e190d5b22775`
`emf_01.emf`	ooxml-emf	OOXML EMF part: word/media/image11.emf	5580 bytes
SHA-256: `cf3cf8f8babd139271c7916cd9bcad31c4e8e910e3f69eeabd39c3e88264c255`
`emf_02.emf`	ooxml-emf	OOXML EMF part: word/media/image15.emf	5536 bytes
SHA-256: `0218d06165117529b5ccca2e5be3f9db2778cd673e6f27ceb043cdb699eb29ea`
`emf_03.emf`	ooxml-emf	OOXML EMF part: word/media/image10.emf	5668 bytes
SHA-256: `a246ca85e6d2786ec1ea2b3300058a07e283d68be4c008ee93a583846872c8f9`
`emf_04.emf`	ooxml-emf	OOXML EMF part: word/media/image14.emf	5604 bytes
SHA-256: `aadc54e658b9e9686c9382095e62d1652eacbbdd42f6b7eb2c441eb7b6c093d4`
`emf_05.emf`	ooxml-emf	OOXML EMF part: word/media/image13.emf	5652 bytes
SHA-256: `6be2501035928da4cefc9ba4ac29c66e631d219c51f8688bb8a2ab06aa311bef`
`emf_06.emf`	ooxml-emf	OOXML EMF part: word/media/image9.emf	5756 bytes
SHA-256: `e35670383650557bea930dcfecdedc4791863ec66072fa9da3c6fda3790e4814`
`emf_07.emf`	ooxml-emf	OOXML EMF part: word/media/image3.emf	5560 bytes
SHA-256: `cbb6d2d247682863b1760aaa4b5dce09f067831cae05a6de45fd7e0abfebe328`
`emf_08.emf`	ooxml-emf	OOXML EMF part: word/media/image2.emf	5520 bytes
SHA-256: `0e6be5e4e46b4f76c028d57748f5183a72d2747a0846c6e233881825c5c23b55`
`emf_09.emf`	ooxml-emf	OOXML EMF part: word/media/image1.emf	5512 bytes
SHA-256: `b7d222e67649f66fa461e0139c9b138a4ba4be8f69a5363c86b25c1a2335453c`
`emf_10.emf`	ooxml-emf	OOXML EMF part: word/media/image4.emf	5184 bytes
SHA-256: `0b00a04762c3586c40b1c7e4747fd5a1b539fdb439f5a7a9fb9b8a7663f4151b`
`emf_11.emf`	ooxml-emf	OOXML EMF part: word/media/image5.emf	5588 bytes
SHA-256: `9a8e8558f74da4ba06a442fb749c1fe4a914d4b8f3510b4a24f05a49fada4e6d`
`emf_12.emf`	ooxml-emf	OOXML EMF part: word/media/image8.emf	5612 bytes
SHA-256: `c4d8c5d8dd887bf4fba556c0f4e2719f71dfd23bd3e266fcb397d951ff13cd8a`
`emf_13.emf`	ooxml-emf	OOXML EMF part: word/media/image7.emf	5572 bytes
SHA-256: `7fa10a16ae23c0e74ea8ded7e908e10e71ed5fc9e96c110124bc51b539acda65`
`emf_14.emf`	ooxml-emf	OOXML EMF part: word/media/image6.emf	5756 bytes
SHA-256: `b429360f4a653998747f0d55697b07e30d3ce63bd1000d5d9980bce398301810`

Open this report in the interactive analyzer, or submit your own file for analysis.