Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 688fda1b644b1ffc…

MALICIOUS

Office (OOXML)

406.6 KB Created: 2020-08-31 17:14:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-09-24
MD5: 0ce1b2a55f8096004d5ba2930bb27844 SHA-1: 9fdaf44e6028098cfa5806e5806bf832d4c4fed3 SHA-256: 688fda1b644b1ffc6393e3fd95b238f4f44cfc3b4025c9b40ba4d674c55c0569
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains an embedded OLE object that is identified as a package payload designed to download and execute a file. The document body prompts the user to click the package, ostensibly for a Word update, which is a common social engineering tactic. The embedded object is specifically flagged as an MSI installer, indicating a direct execution attempt. The primary URLs associated with the payload download are http://t2.symcb.com and related domains.

Heuristics 6

  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Payload URL recovered from embedded OLE object (16 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://t2.symcb.com0 Embedded OLE package script
    • http://tl.symcd.com0&Embedded OLE package script
    • http://s.symcd.com06In document text (OOXML body / shared strings)
    • http://ts-ocsp.ws.symantec.com0In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://t1.symcb.com/ThawtePCA.crl0Embedded OLE package script
    • http://tl.symcb.com/tl.crl0Embedded OLE package script
    • https://www.thawte.com/cps0/Embedded OLE package script
    • https://www.thawte.com/repository0WEmbedded OLE package script
    • http://tl.symcb.com/tl.crt0Embedded OLE package script
    • https://www.advancedinstaller.comEmbedded OLE package script
    • https://d.symcb.com/cps0%In document text (OOXML body / shared strings)
    • https://d.symcb.com/rpa0In document text (OOXML body / shared strings)
    • http://s.symcb.com/universal-root.crl0In document text (OOXML body / shared strings)
    • https://d.symcb.com/rpa0@In document text (OOXML body / shared strings)
    • http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0In document text (OOXML body / shared strings)
    • http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0In document text (OOXML body / shared strings)
    • http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 706560 bytes
SHA-256: dd767f4445d7b11ca50b3d911cb32a9a6dc4ff9b703b3185933a9533f5c6a61c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, ShellExecuteW, LoadLibraryW, GetProcAddress, ReadProcessMemory, OpenProcess
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 692794 bytes
SHA-256: cdca7a9c4b1ea8c3087c95c166a0276279cffd3f1f91a100bd5aa79ad81b6559
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_SHELLEXEC, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: shell32.dll, ShellExecuteW, LoadLibraryW, GetProcAddress, ReadProcessMemory, OpenProcess
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5052 bytes
SHA-256: 8f44dea5102d1c6fa576ab797dcadab7d920bdd38f6b4a7265f63114f92e3089

Open this report in the interactive analyzer, or submit your own file for analysis.