Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 52d2adc7f9659483…

MALICIOUS

Office (OOXML)

55.1 KB Created: 2016-09-29 09:25:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-04-10
MD5: 0ad90ea067c2a105e9cc6fb50899da35 SHA-1: be4cc1baaf132cfbfe6cc5a15068017e06ea4895 SHA-256: 52d2adc7f9659483796c6915af897482521ea886eefa269d8e336129906d9c69
62 Risk Score

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object word/embeddings/oleObject5.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject5.bin 3584 bytes
SHA-256: d7c724d45686870b0c3e1f849bf53eb42066c07b7c14c7f7acabe35171e53a48
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject9.bin 3584 bytes
SHA-256: 31113dc153e208501060b46251df666401eb181cebe3c081498afdb796e6a593
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject7.bin 3072 bytes
SHA-256: 141032b64d907d18db93b02e95919cc0cf16779c1e38a972763bb95f02a61b84
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 3584 bytes
SHA-256: 47c0e12b2fcab4cc84ffb0eceadd9bdce1e241593c2526fc01816076cf8e0211
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 3072 bytes
SHA-256: 2b8472ef2ebd506f099d1e9f78d5ace738031010f1c73f7ea433bc3d12804a4d
ooxml_oleobject_05.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject4.bin 3584 bytes
SHA-256: a66e1c6d9598389aa26b95382bd52e4f06ba540083b7821c27259fc12d87a5b9
ooxml_oleobject_06.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject6.bin 3072 bytes
SHA-256: dd0005efa1b9bdb4eb86c9f9033b9ea46b3f7d4f6a254669d7938e0285ea1f32
ooxml_oleobject_07.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject12.bin 3072 bytes
SHA-256: 9c24f8fb80f9060f083636af8c1929623daa1872d759d37ddeb7abef53a1238e
ooxml_oleobject_08.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject10.bin 3584 bytes
SHA-256: 432353942f9d6ab9905423ed68b9a213b08bf784dd57fc26e0c1fd3dd969cbbd
ooxml_oleobject_09.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject13.bin 3072 bytes
SHA-256: af79ccd44a2beb030249bb9fb3b2f6b3094bab77e702c665e8b79feca46ea859
ooxml_oleobject_10.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 3072 bytes
SHA-256: 00b50b298cb56c73feab5291ef37133c8fe5359fdf74f2c4d30d3f5f490bf29f
ooxml_oleobject_11.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject11.bin 3584 bytes
SHA-256: dc668d2da1236bbee75044865e5aa49c390c4294b3ab478d9434d093b410e0d5
ooxml_oleobject_12.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject8.bin 3584 bytes
SHA-256: 078d0c86a519f18ad5236bb86af3639572203e7ebc474ca856df7910108954a8