Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 693b4d811d4839e9…

MALICIOUS

Office (OOXML) / .DOC

33.7 KB Created: 2020-02-25 05:41:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 1bd6ebc07397651c32ed51b19e07c15c SHA-1: 6ef59cf0b49abaf7d281faa040031b1f24775665 SHA-256: 693b4d811d4839e92f7dd8974c057bc1b6d57d50bb5ef6e49c4a365564ef99e7
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious OOXML document that uses remote template injection to download a secondary file. The document body contains official-looking Ukrainian Ministry of Defense letterhead and text, likely intended to deceive the recipient into trusting the malicious content. The embedded OLE object and external relationship heuristics further indicate malicious intent, likely to execute further stages of the attack.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://lisbek.freedynamicdns.org/cache/root/KOBEko.dot) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://lisbek.freedynamicdns.org/cache/root/KOBEko.dot
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lisbek.freedynamicdns.org/cache/root/KOBEko.dot
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
440232f459e0e01f9cdf391acc97dac90474e81fc95cbe58ea7b5507ab9cf02a		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 8704 bytes
ooxml_oleobject_00_ole10native_00.bin
8fcfd96c0bb4eb0dc030caea9c8bc351ffb713c39466b4a9cf5cfd5f6fbd68f1		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.