Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 40c8f6c67427e86b…

MALICIOUS

Office (OOXML)

16.0 KB Created: 2017-09-12 11:12:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-01-12
MD5: bde08a6feeedf2bfcdebdcd5071f2ea4 SHA-1: 4d464a25fa407f604568602b1c6dcded567e9144 SHA-256: 40c8f6c67427e86b5f1e93923bb6f0ea3fe4a378c4a6be4287fc09bf536c5e97
242 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The file is identified as malicious due to the presence of an embedded OLE object that is designed to drop an executable payload, as indicated by the 'OFFICE_PACKAGE_RISKY_FILE' and 'EXTRACTED_FILE_STATIC_TRIAGE' heuristics. ClamAV detection further confirms its malicious nature, classifying it as 'Img.Dropper.PhishingLure-6329864-0'. The embedded object and its payload suggest a phishing or malware delivery attempt.

Heuristics 5

  • ClamAV: Img.Dropper.PhishingLure-6329864-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6329864-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 6656 bytes
SHA-256: 682118f6f29d80cb08fff1074fdf82c325dbd4fb991388f25800c554a6bd30c5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Sleep(1000); zqZfvYrIxHEyQVB = new Date()[sPzCJBacRjbgivor]();
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 4062 bytes
SHA-256: e6c3e5adebb6224a8857c4b0ecbdb011347f950529715c789effb999d37d64f3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.Sleep(1000); zqZfvYrIxHEyQVB = new Date()[sPzCJBacRjbgivor]();
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 9260 bytes
SHA-256: c013aff1c3751ddb9f4ed720f23e435a3174cc028bead6b71ff572df6a1f6c47
Detection
ClamAV: Img.Dropper.PhishingLure-6329864-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.