Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5e7fe9a4eb6dc098…

MALICIOUS

Office (OOXML) / .DOC

94.5 KB Created: 2021-04-28 13:50:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 158e499db47d9c6a56449c86f3b1596f SHA-1: 6d0e9274649112ec7e9a757168b7de6eb2c48ff2 SHA-256: 5e7fe9a4eb6dc098b6ed28b083d277455d66a515e7c78b270ad0515a90279f45
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a Microsoft Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for arbitrary code execution. The presence of this object strongly suggests an attempt to exploit a known vulnerability to deliver a malicious payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object word/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
57d9d8392b9b7b4787c0ca281bc530b1eb9da25c15fbbbd9700b3f329b6ffc82		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.