Office (OOXML) malware analysis — malicious · 72ccf3ff6d43d3ce

MALICIOUS

Office (OOXML)

60.5 KB Created: 2018-02-21 00:56:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2018-03-24

MD5: 7f57d94abeed8b6dc30855b4c2162ade SHA-1: 42f33c7a9ea9c6d59b50cd5230e27e46b60a293e SHA-256: 72ccf3ff6d43d3ce9f034dcaf450ce3e9a3f21fb3fc928b7dc34972c3640d554

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document identified as malicious due to the presence of an external OLE object. This object points to 'http://b.reich.io/hncdua.doc', which is highly indicative of an exploit attempt targeting CVE-2017-8759. The embedded EMF artifact suggests potential shellcode, further supporting the exploitation vector.

Heuristics 4

OOXML OLE2Link remote document — CVE-2017-8759 related high CVE related CVE_2017_8759_RELATED

Document contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT

Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://b.reich.io/hncdua.doc In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image1.emf	401396 bytes
SHA-256: `21d01a6bfe8e0af4fde26198451455c29c3b9fe0814e841534ce5ecc8b8398e7`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.