Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5cd1393f3fe84743…

MALICIOUS

Office (OOXML)

129.3 KB Created: 2018-07-12 17:52:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-05-29
MD5: cac162971249088889ec967b96bc0e2b SHA-1: 8aac15c2f882a964fd44944baf575ddfc42ec656 SHA-256: 5cd1393f3fe84743462fbe6d17e65c76096f11d19cf53374118856768425a720
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample contains a critical DDE heuristic firing indicating a malicious command. This command uses PowerShell to download a JAR file from 'http://stealcon.xyz/test.jar' and execute it. This suggests the document is a malicious attachment designed to deliver a secondary payload.

Heuristics 2

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\sy
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stealcon.xyz/test.jar In document text (OOXML body / shared strings)