Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 50e06479cb4c1133…

MALICIOUS

Office (OOXML)

9.8 KB Created: 2021-10-07 11:15:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-10-14
MD5: 5901f3e57881e9bf97d2a407a9210b06 SHA-1: 4489114260691523c02bc6e374ff0cf2940658ee SHA-256: 50e06479cb4c1133158b99995d6ee46fdda848d5168438cb48f42d1f756e50ea
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains a malicious DDE command that attempts to execute cmd.exe with the argument to launch calc.exe. This indicates an attempt to exploit the DDE feature for arbitrary command execution. While the command is benign, the technique is malicious and commonly used to download and execute more harmful payloads.

Heuristics 2

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\system32\\cmd.exe
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)