Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 41d498d7539cdd27…

MALICIOUS

Office (OOXML)

3.04 MB Created: 2013-08-22 20:10:11 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2015-04-15
MD5: 5e5c70d7ec65becb25c3068ee8774b85 SHA-1: acf76f171403dcf2622035b8e0667446d8f8720c SHA-256: 41d498d7539cdd271bc45507dddce338d4034e278b3ca35ddbd62a309072d354
190 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature Win.Worm.AutorunLink-6547264-0. It contains an embedded OLE object which is a risky file type, specifically a .lnk file named 'sifetin dereceleri.lnk'. This strongly suggests an attempt to deliver a malicious payload, likely a worm, via a spearphishing attachment, leveraging exploitation for client execution.

Heuristics 5

  • ClamAV: Win.Worm.AutorunLink-6547264-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.AutorunLink-6547264-0
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.youtube.com/watch?v=b_GVGi626k4
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.youtube.com/watch?v=b_GVGi626k4 Document hyperlink
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/iX/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://www.iec.chIn document text (OOXML body / shared strings)
    • http://www.apple.com/DTDs/PropertyList-1.0.dtdIn document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/exif/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 6144 bytes
SHA-256: 88d9a3dc67a589b2b1a170d03f4e442cae9a54c1a4416205674be3ac840cd656
Detection
ClamAV: Win.Worm.AutorunLink-6547264-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1631 bytes
SHA-256: b09b8797d5403d0df83aff7d44be78e5c0cd84d40dcffdf6e1724ddbfa46df43

Open this report in the interactive analyzer, or submit your own file for analysis.