Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5f2ab74ec123383b…

MALICIOUS

Office (OOXML)

3.39 MB Created: 2019-04-22 19:40:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-02-20
MD5: 97fc56934569e075112585566000bde9 SHA-1: a182653c1d0b829baaa6b38d58d44ee627a2c001 SHA-256: 5f2ab74ec123383ba369de98711d2a378a4292dd74b37ce92128d7938ee86d01
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The file is identified as malicious due to the presence of an embedded OLE object that is designed to drop an executable payload, as indicated by the 'OFFICE_PACKAGE_RISKY_FILE' and 'EXTRACTED_FILE_STATIC_TRIAGE' heuristics. ClamAV detection further confirms its malicious nature, classifying it as 'Img.Dropper.PhishingLure-6329864-0'. The embedded object and its payload suggest a phishing or malware delivery attempt.

Heuristics 5

  • ClamAV: Win.Keylogger.Ramnit-9817861-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Keylogger.Ramnit-9817861-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4113408 bytes
SHA-256: 12976149c263bb321f6e6338e2cb9f207e82a3b06909ef1495ebd9e58056c57d
Detection
ClamAV: Win.Keylogger.Ramnit-9817861-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, KERNEL32.DLL, ADVAPI32.DLL, LoadLibraryW, GetProcAddress
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 4078943 bytes
SHA-256: 0814e945e38e5e4595b74bdcafabe826ed30f22ef387d88c5372ff45e741f0b2
Detection
ClamAV: Win.Keylogger.Ramnit-9817861-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, KERNEL32.DLL, ADVAPI32.DLL, LoadLibraryW, GetProcAddress
ooxml_oleobject_00_ole10native_00_Payment_Swift.exe ole-package-payload OOXML word/embeddings/oleObject1.bin Ole10Native payload: display_name=Payment Swift.exe; full_path=C:\Users\user\AppData\Local\Temp\Payment Swift.exe; temp_path=; def_file= 4078592 bytes
SHA-256: 0435e44f3c5ecd7adf51d143cb15fd25ea66760d0f7cb978f62583a28e71144c
Detection
ClamAV: Win.Keylogger.Ramnit-9817861-0
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, KERNEL32.DLL, ADVAPI32.DLL, LoadLibraryW, GetProcAddress
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5568 bytes
SHA-256: 54265b5d2cbb56b4dd49c1bda10e3fa949f7c74d0fb697c1dc734e436361bb44

Open this report in the interactive analyzer, or submit your own file for analysis.