Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 398417c975bb6ae4…

MALICIOUS

Office (OOXML)

25.5 KB Created: 2016-11-21 11:12:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2017-02-27
MD5: 3afc206a42de9834d81558979df0c909 SHA-1: a4ab618ea8cd6910c3bf6a8d9048ef89b4cb9ae2 SHA-256: 398417c975bb6ae407327fdfc33c49786a2bd0d9257342bf5c3c6abab34a0169
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The sample is an OOXML document identified as malicious. Critical heuristics indicate the presence of an embedded OLE object that drops an auto-executable payload, specifically identified as a JavaScript file. This suggests the document is designed to lure the user into opening it, leading to the execution of a secondary malicious file.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word\embeddings\oleObject1.bin 38912 bytes
SHA-256: 0b4040834eaa52848cd5f7b33ac134c7b5039f561cabad8c8e501b003db559e4
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word\embeddings\oleObject1.bin Ole10Native stream: Ole10Native 30585 bytes
SHA-256: 3fac0584845740fe759c38f9487f80bc64ec87de518888618f7299197cca4893

Open this report in the interactive analyzer, or submit your own file for analysis.