Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 75a2db01ae62defd…

MALICIOUS

Office (OOXML)

840.2 KB Created: 2013-06-06 04:43:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2015-09-30
MD5: 9e5c4d14b9c2e7e38a8482491b8aea90 SHA-1: d23ad174cdc29e1f346f38f2b85516c939eae583 SHA-256: 75a2db01ae62defd49ae94c779588ff259706eff25f7c3273c61eec179ba7f5d
146 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is a malicious OOXML document containing an embedded OLE object. This object is identified as a script dropper that fetches and executes a payload, disguised as 'AdobeReader.exe'. The embedded URLs are used for downloading the payload, indicating an Ingress Tool Transfer (T1105) technique. The presence of an embedded executable within an Office document strongly suggests it was delivered via Spearphishing Attachment (T1566.001). While the exact script language is not explicitly detailed, the download-and-execute functionality implies a Command and Scripting Interpreter (T1059) technique, likely PowerShell given the context of Windows executables.

Heuristics 6

  • Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER
    The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (5 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 Embedded OLE package script
    • http://ts-ocsp.ws.symantec.com07Embedded OLE package script
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0Embedded OLE package script
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0Embedded OLE package script
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0Embedded OLE package script
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 684032 bytes
SHA-256: 0912315b4fc4b674951b614763ed4c3c66fd6d336cdc884c9edfc8631a929dfc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 675885 bytes
SHA-256: 5dbd00c84415707325f0a5e486f9ff1dfd5fda32f2cfc334cc68f4b084910ad7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5132 bytes
SHA-256: 7d84a31bb1b28193c7bfb4f4c97f4463717aec67fe54b0e7349b65d240d49ce3

Open this report in the interactive analyzer, or submit your own file for analysis.