Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 64e04d88b1bde88d…

MALICIOUS

Office (OOXML)

253.8 KB Created: 2021-10-25 11:26:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: fbed686b60bc697e5900d8c7969ac46c SHA-1: d35045ce5cc5f2b9ee35ebcac7896f7a7e4a7bb1 SHA-256: 64e04d88b1bde88df05f85eb66be406c37fc4e20ad594ce3f18b65b1593b227b
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

The sample is a malicious OOXML document containing an embedded OLE object. This object is identified as a risky file package that drops an auto-executable payload, specifically a JAR file. The presence of an embedded OLE object and the dropping of an executable payload strongly suggest an attempt to execute malware upon opening or interaction with the document.

Heuristics 4

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ebf42b71a276368e6e0ab0a0e9a6292cf736d867e5098dc0b87226998f62e2ae		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 249344 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
87d246405d23e9e67e022114ce6aceaa3ad593a5c5554bdc1411a7cc3af5be41		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 244560 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
emf_00.emf
d42778688773fe664f6d3b2ba4c7208daa02777fae846e64225ee5851e3c2d4a		 ooxml-emf OOXML EMF part: word/media/image2.emf 5140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.