Office (OOXML) / .DOC malware analysis — malicious · 2dd4b645155f01cf

MALICIOUS

Office (OOXML) / .DOC

195.6 KB Created: 2022-11-30 20:15:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2022-12-09

MD5: 112ebeeaedd376d165db5150be6ab817 SHA-1: a5cd7f6bf2a036e52a9df856c16369f5adc8d4a4 SHA-256: 2dd4b645155f01cf1f0a5b38addeceda5068bc58cdd2d8a6b0376aa7787d2122

162 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File T1059.005 PowerShell T1105 Ingress Tool Transfer

The sample is an OOXML document containing an embedded OLE object that acts as a script dropper. The document body contains a lure instructing the user to 'ENABLE EDITING' to view the document, which is a common tactic to bypass macro security. The embedded package payload is identified as a download-and-execute script, specifically dropping a file from the URL https://cdn.discordapp.com/attachments/1047544891632259145/1047586477921538178/Vbs_Startup_LNK.vbs, which is likely a malicious VBScript given the '.wsf' extension heuristic.

Heuristics 5

Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER

The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cdn.discordapp.com/attachments/1047544891632259145/1047586477921538178/Vbs_Startup_LNK.vbs
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `c2100f835111e25928b6e2997c62957b14654066d13a8a202678e84c7be94538`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	229888 bytes
`ooxml_oleobject_00_ole10native_00.bin` `f1fa28216f74e674e0fa770edfd01a1e9aa468021370b8c0c11ed72e6b4930d5`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	224775 bytes
`emf_00.emf` `e494be71a8f1d4388d846e7e4f73b5627bc8b9dac938887ca44aa69f43895f10`	ooxml-emf	OOXML EMF part: word/media/image1.emf	5448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.