Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 831c3c40cc3fbc28…

MALICIOUS

Office (OOXML)

148.2 KB Created: 2018-04-23 02:07:47 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2019-01-11
MD5: c50f9575695b5363c22989ba14ba7823 SHA-1: e223f8b1f9762ccaaddd76ea65d8b0adf3608a05 SHA-256: 831c3c40cc3fbc28b1ce1eca6bf278602c088f0580d6bdf324ef949c7d48a707
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample contains an external relationship pointing to 'http://office.otzo.com/office.sct', which is indicative of an attempt to download and execute a script. The document body text appears to be unrelated interview questions, suggesting it is a lure. The script is likely intended to download and execute a second-stage payload.

Heuristics 4

  • MSHTML-style external object relationship critical CVE related OFFICE_MSHTML_EXTERNAL_OBJECT
    External relationship to script:http://office.otzo.com/office.sct — exploitable MSHTML/CAB/MHTML/HTA-style Office attack surface
  • External relationship high OOXML_EXTERNAL_REL
    External target in ppt/slides/_rels/slide1.xml.rels: script:http://office.otzo.com/office.sct
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: file:///C:\Users\John\Desktop\7z1801-x64.exe
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://office.otzo.com/office.sct Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.