Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 57baa7a45919243d…

MALICIOUS

Office (OOXML)

37.3 KB Created: 2018-07-12 08:40:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2018-09-04
MD5: ac7047d2a8031e7dc6d8ecdc2330ae74 SHA-1: 84e5e15bf9f71f12b57bd93b3ccf69f98ef82d9e SHA-256: 57baa7a45919243dcbd71820d7f1937a7ec775cd1fb5af6b4eaf072796575f16
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a Microsoft Office Word document containing an embedded OLE object identified as an Equation Editor exploit. This type of object is commonly used to deliver and execute malicious payloads. The presence of this exploit suggests the document is designed to leverage CVE-2017-11882 or a similar vulnerability for initial code execution.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object word/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4096 bytes
SHA-256: 68fc4be567745f072fb52d5a5950209105a9de2fb9d918496d68d106e9e7c5a5
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1798 bytes
SHA-256: d5da2e7920ee493ab31b51a89840f974accb48dd0d3f9c264776218192429894

Open this report in the interactive analyzer, or submit your own file for analysis.