Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5c0c2f162ccbcc90…

MALICIOUS

Office (OOXML)

459.1 KB Created: 2019-05-08 07:25:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 58acee49d6a8443b0a6b5028beb51502 SHA-1: 55b2c99fd6af6fe0856799fad86e8e8d4efd81dc SHA-256: 5c0c2f162ccbcc9043141bbb8a3ab22058bf7f107beb1a659b13517f0e0b74de
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a critical DDEAUTO command that executes cmd.exe, which in turn runs a PowerShell command. This PowerShell command downloads a script from 'http://kong.re.kr/this_is_not_malware/t.ps1' and executes it. This indicates the document is a malicious attachment designed to download and run a second-stage payload.

Heuristics 5

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\System32\\cmd.exe
  • ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.aseankorea.org/kor/Resources/publication.asp
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kong.re.kr/this_is_not_malware/t.ps1
    • https://www.aseankorea.org/kor/Resources/publication.asp
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/photoshop/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://www.iec.ch

Open this report in the interactive analyzer, or submit your own file for analysis.