Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5a1ffc4af4b51576…

MALICIOUS

Office (OOXML)

218.5 KB Created: 2020-10-24 17:18:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-11-05
MD5: 4ef3b1b9c2aa385584cd72e1373cb288 SHA-1: 61ece6e52d6280d34e9ec782725927f9618e8b4f SHA-256: 5a1ffc4af4b515766048201451228ef9d6fecb8120a1fbc51968519a86c59b1f
84 Risk Score

Heuristics 4

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 209408 bytes
SHA-256: 5b235e4ea3970854f2d36732d9ef091a3e58f1d741469ea7f3141b66076fb31a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 205190 bytes
SHA-256: 3f761c575a2aab70e80163253ecc9e996396dc9d67dba7120b889e75893f1f52
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00_92582165117124289956736699836528828911755243948389.jar ole-package-payload OOXML word/embeddings/oleObject1.bin Ole10Native payload: display_name=92582165117124289956736699836528828911755243948389.jar; full_path=C:\Users\TESTER\AppData\Local\Temp\92582165117124289956736699836528828911755243948389.jar; temp_path=; def_file= 204494 bytes
SHA-256: 22c8bed4c0f0a027e590124945afc9b2843e60da0bf4b3448d7198f1ba8c7055
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5132 bytes
SHA-256: b3511c18d5a6ccd18dd837df59a1df8e78b26a0285e53e22c564e4d5b2d1d3ad

Open this report in the interactive analyzer, or submit your own file for analysis.