Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 519df8e6dcd18239…

MALICIOUS

Office (OOXML)

82.3 KB Created: 2017-04-04 23:47:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2017-06-27
MD5: 63ea76fa5c9b0f41d506f6d49edc3517 SHA-1: 4d07ec807e1201fe4ac26f80393773741c643c20 SHA-256: 519df8e6dcd1823945f8464f32ea303b5f2da204674feabb99974734b0cc05a3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document identified as malicious due to the presence of an embedded OLE object. This object is flagged as a risky file type that drops an auto-executable payload, specifically identified as a .vbs file. This indicates a likely attack pattern involving spearphishing attachment to deliver a malicious script for initial execution.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.iec.chIn document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/photoshop/1.0/In document text (OOXML body / shared strings)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 13824 bytes
SHA-256: d62d9744b1a362d1d68206b26a4971a39995c7fce1a0b99f0c2eeb8858fd2290
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 10864 bytes
SHA-256: ce96767bf00b25c5c8d850aaeeb48936e794482130d910cb48201f43d0a42b23
emf_00.emf ooxml-emf OOXML EMF part: word/media/image3.emf 5296 bytes
SHA-256: 607e5da76718f0e346463228a4c2c6fcd503be55ce4e435e83490c85e8a5a7d0
emf_01.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5304 bytes
SHA-256: 2e0172cfe8e7896a0ccfa5e64e7a41dffc40d4b298f4139dce51d024423141a7
emf_02.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5388 bytes
SHA-256: 28bf4cc453140c666e174bfbcbd0720beec81cd44b91e1a22cb1ff41d448c6b9

Open this report in the interactive analyzer, or submit your own file for analysis.