Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 63cdac306f78b398…

MALICIOUS

Office (OOXML)

28.8 KB Created: 2021-08-03 13:27:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 1862858bf5b7aea87558d61d575fa398 SHA-1: 2b174d971b78cd2736462442bf018983b862b907 SHA-256: 63cdac306f78b398a9e2db3241ba54e890e39ef71c3dbb5dd2701c14242b3c4f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1218.005 Client Execution: Signed Binary Proxy Execution T1566.001 Spearphishing Attachment

The sample is a malicious Office document that leverages Dynamic Data Exchange (DDE) to execute a command. Specifically, it uses the DDEAUTO command to launch cmd.exe, which in turn executes notepad.exe. This technique is often used to download and execute further stages of malware.

Heuristics 2

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\system32\\cmd.exe
  • ClamAV: Doc.Exploit.DDEautoexec-6346603-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.DDEautoexec-6346603-1

Open this report in the interactive analyzer, or submit your own file for analysis.