Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 6955bbde3060e80d…

MALICIOUS

Office (OOXML)

60.4 KB Created: 2018-03-29 22:25:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2019-12-09
MD5: df29ec78fc3fec38e396488a01963cd3 SHA-1: 971623700fb7121bb7adb93b07cdfdc220e593d8 SHA-256: 6955bbde3060e80da7cb2dc86cc8e363ee34003e6eb596fd067027de5da867cc
270 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Files or Information

The sample is an OOXML document containing an embedded OLE object that drops a JavaScript payload, as indicated by the 'OFFICE_PACKAGE_RISKY_FILE' heuristic. The document body presents a fake invoice lure, instructing the user to 'Enable Editing' and click a button, which aligns with the 'SE_ENABLE_LURE' heuristic. The presence of the embedded JavaScript and the dropper heuristic suggests the document's primary purpose is to execute this script, likely to download and run a second-stage payload.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-6489564-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6489564-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///C:\Program Files\Microsoft Office\Templates\1049\EssentialResume.dotx
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2014/chartexOOXML external relationship
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2015/wordml/symexOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 15872 bytes
SHA-256: 0e10f65a582c636090bbfad35c75710ac052fd7fdbbbc942e0790c5225f8c312
Detection
ClamAV: Doc.Dropper.Agent-6489564-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 13228 bytes
SHA-256: 5d0e192d75254bc2c452de16963eb161c58eae7b33f84ab7534057e02f145875
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 13824 bytes
SHA-256: 7fb4d8857922a72e50815fd32af023baef9b11eed1794b35c7392c3884113ea1
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 10889 bytes
SHA-256: 6d21e4521cc21c30c57cab3bd8a3d31e435e1f43ca48ca511682355b5803582c
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 7460 bytes
SHA-256: 8c04051db2f02a06ba1c6a0b67df7571379951a2341dde191c554c64d2c5412b
emf_01.emf ooxml-emf OOXML EMF part: word/media/image2.emf 7448 bytes
SHA-256: f380cac79398af09a0adfa2b21ec8159965fc6afb364c76e1773f25a4f9b3248

Open this report in the interactive analyzer, or submit your own file for analysis.