Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 81563e5dc448adc0…

MALICIOUS

Office (OOXML) / .DOC

77.9 KB Created: 2021-02-22 03:22:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: d1a17af9ca519f13af16bc25e355b268 SHA-1: 5f7ac4cb0a520f8b346f34fe84afe1e35ed19e4f SHA-256: 81563e5dc448adc01aca4f1a722f164717517319221679e4b0feaeeaa3d004b5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains an external OLE object relationship pointing to a URL, which is a known indicator for exploitation of CVE-2017-8759. This technique is used to download and execute a secondary payload from the specified URL. The document likely serves as a lure delivered via spearphishing.

Heuristics 3

  • OOXML OLE2Link remote document — CVE-2017-8759 related high CVE related CVE_2017_8759_RELATED
    Document contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.
  • External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT
    Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/4.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/10.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/7.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/1.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/9.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/5.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/3.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/6.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/2.doc
    • http://dreamakers3.hospedagemdesites.ws/dreamnovo/wp-includes/certificates/c/8.doc

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
c0d1c76828f20b7488758a893525655848f60d764bc00c142ac738bf9aca0def		 ooxml-emf OOXML EMF part: word/media/image8.emf 5408 bytes
emf_01.emf
cc6c1227b3f9cf5c692323a1dda4a9959fde25c8bcbc5afc0be5b0d3cf8ce1a7		 ooxml-emf OOXML EMF part: word/media/image7.emf 5408 bytes
emf_02.emf
d2f2d91a5550ebc54470c6f46d7551254fef67484e65fc066b2314787df522b1		 ooxml-emf OOXML EMF part: word/media/image10.emf 5416 bytes
emf_03.emf
5e178cee143f725f34d0f2ba9d6b684d2673b0a0fc0b6c80b708b9c00ae8138c		 ooxml-emf OOXML EMF part: word/media/image11.emf 5408 bytes
emf_04.emf
ed7787fbe417d6cb5318031759bd4b6c54a1914889baa41f490f160c83dee7aa		 ooxml-emf OOXML EMF part: word/media/image9.emf 5408 bytes
emf_05.emf
b6081be46444318545f177d8c9554f702b3591a16ef7d701e3c159167b145ae3		 ooxml-emf OOXML EMF part: word/media/image4.emf 5408 bytes
emf_06.emf
233defb2f479a5e1f274cec444499cf7181b2c870bf619509028695eb45c64a0		 ooxml-emf OOXML EMF part: word/media/image5.emf 5408 bytes
emf_07.emf
c1482521df758af0255f4aaf5f1ed28ea2cfdd61c26fe2da435e2998087053ba		 ooxml-emf OOXML EMF part: word/media/image3.emf 5408 bytes
emf_08.emf
9536d3b1516558df413e1e87e2423b42ccf183a6751ba20f6d0b924058e695dc		 ooxml-emf OOXML EMF part: word/media/image2.emf 5408 bytes
emf_09.emf
0b54f207bda1a4d4fc4b5c66707cfce61027feebd362d60063b86a5d62d385d4		 ooxml-emf OOXML EMF part: word/media/image6.emf 5408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.