Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2adbe75ad93300a8…

MALICIOUS

Office (OOXML)

698.6 KB Created: 2009-07-31 11:34:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-09-14
MD5: 2b7971c064a49552b14878e7986388ee SHA-1: 06c79d7feb9b62cf133074bc401c54211645eba6 SHA-256: 2adbe75ad93300a8b4c5a8ffa95d6510ec3a97d8d0f5279e704f6133026a44e2
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious OOXML document containing an embedded OLE object. This object is identified as an Ole10Native package that drops an executable payload named GMapTool.exe. The presence of embedded OLE objects and the dropping of an executable payload strongly suggest an attempt to execute malware, likely delivered via spearphishing.

Heuristics 4

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (10 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://crl.verisign.com/tss-ca.crl0In document text (OOXML body / shared strings)
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OOXML body / shared strings)
    • https://www.verisign.com/rpaIn document text (OOXML body / shared strings)
    • https://www.verisign.com/rpa01In document text (OOXML body / shared strings)
    • http://crl.verisign.com/pca3.crl0In document text (OOXML body / shared strings)
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn document text (OOXML body / shared strings)
    • https://www.verisign.com/rpa0In document text (OOXML body / shared strings)
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In document text (OOXML body / shared strings)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 946688 bytes
SHA-256: ab3a73a155fccb082aeb6de2306330e9dc67c1a31e4e6d7a94b73620621a75e7
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 931128 bytes
SHA-256: 2fc15914527accef29e1cc8fb9bf661fa2fe568d6d4bd4ee10110d3286501c0f
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 422912 bytes
SHA-256: 1cf3ce998cecb949fce95986928bd591e993d08e8b9cf9f3fec86b3dfb20189d
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 411203 bytes
SHA-256: a37e454e22eaca7f8b79b2e5ccd0b7f05d069de519bc73b771137e50c30d10c6
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5004 bytes
SHA-256: 66b3ecf01c309be1b2cf8c55f1a721b28b45c19ce167e91b37e172565ba6b72d
emf_01.emf ooxml-emf OOXML EMF part: word/media/image2.emf 4988 bytes
SHA-256: eee6e0961c9eeb616c14c4568c9168cb072c47e78ceb6846d6c87bfe6c2e3a7c

Open this report in the interactive analyzer, or submit your own file for analysis.