Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8e0ac0a6d1717e43…

MALICIOUS

Office (OOXML)

5.33 MB Created: 2014-08-19 07:24:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-03-15
MD5: 438b7d6447ae22f470fc0882b593539d SHA-1: 3e0773f9b480f6e04b053deea03faf4afdb387bf SHA-256: 8e0ac0a6d1717e4352c609b51de37620cb13af697068d241a5fcc6a1792158be
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1137.001 Office Application Startup: VBA T1204.002 Malicious File: User Execution

The document contains a lure for Steam accounts, which is a common tactic for social engineering. Critical heuristics indicate that an embedded OLE object drops an auto-executable payload named 'img12.scr'. This payload is detected by ClamAV as 'Win.Trojan.Agent-1246306', suggesting it's a malicious agent designed to be executed by the user.

Heuristics 5

  • ClamAV: Win.Trojan.Agent-1246306 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-1246306
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • https://steamcommunity.com/profiles/In document text (OOXML body / shared strings)

Extracted artifacts 26

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject12.bin 610816 bytes
SHA-256: a95625434c85dd417a5861db07f4f7146fb9cfe4b9dbad148375e01641ba89dd
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject12.bin Ole10Native stream: Ole10Native 603355 bytes
SHA-256: 4cbcbc713a8b6f226015c95bb5c5e8caf02b93fbf03ee261ab1c7e86a5d1e054
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject10.bin 610816 bytes
SHA-256: 360e33f857a106e2585c039bc6e4adbd21d5a6a946e6674f2c573e6c35d03352
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML word/embeddings/oleObject10.bin Ole10Native stream: Ole10Native 603355 bytes
SHA-256: 30b004f24f7efad17be4802b472c8f74ad7857949400aee22a92ee8efba3781f
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject7.bin 610816 bytes
SHA-256: f1a81590b740656c3adc7039c9722308ac83ab0a38a48ff556fc55c72fd7d422
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML word/embeddings/oleObject7.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: 4fa0b171919d0201f2d2c6208da4f322b758764e71337d17da4ca1f09a5b5c66
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject13.bin 610816 bytes
SHA-256: 12953b1fe2685637ab9897f00b6907b3cf7f03e7d358852da2fc108b2abd3229
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_03_ole10native_00.bin ole-package OOXML word/embeddings/oleObject13.bin Ole10Native stream: Ole10Native 603355 bytes
SHA-256: 74be58c25e46c6bd134f543f582f7a4bc7ab3f8eafaeb01b975f7571e10a681f
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject5.bin 610816 bytes
SHA-256: c8df2596f1b80cf16e7a31e5686d9c8773665da630f5c4d4da2b78038cc2bd22
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_04_ole10native_00.bin ole-package OOXML word/embeddings/oleObject5.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: 1c1aefb17c34d6ce268c24fd72035602ac73681c39ff2a72d239df5e6b80e730
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_05.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 610816 bytes
SHA-256: e153a7c99e63475cd2e5c1a80a5820eb6d6143c9902b8b1c90c09bb784799970
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_05_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: 200b11cf04118147543858efdc23862b4b53c7ac9a077f49d3789371da538208
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_06.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 610816 bytes
SHA-256: e0bf07b623a224fae6761b46475a282bca9a741629108bef67f01a9dd13bf18a
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_06_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 603358 bytes
SHA-256: fdee7fa235c84a9de65b7042e4ba10abd666a91e537bf7274ad99cffa12fa95d
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_07.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject4.bin 610816 bytes
SHA-256: 69fdc85bec8a233c6d17f1e720951abd216bc9216d44519957f9ad81b56af2d0
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_07_ole10native_00.bin ole-package OOXML word/embeddings/oleObject4.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: f2388ce242e26182618ebf16492779a51cb6a71f25e66a465e1da67f984124b9
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_08.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject8.bin 610816 bytes
SHA-256: 374b02a83d07950cfa2fab7de526f1b125ccc90794b50f8f9a3265b53141b629
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_08_ole10native_00.bin ole-package OOXML word/embeddings/oleObject8.bin Ole10Native stream: Ole10Native 603358 bytes
SHA-256: a9ac22667968d0a8767ada813527150d959881640a5c7f0fad98c28c5402cc9c
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_09.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject11.bin 610816 bytes
SHA-256: 0816d3626b43ed14d52ca3f3c26efd15ba422d791053c1ddc15b767d2e408249
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_09_ole10native_00.bin ole-package OOXML word/embeddings/oleObject11.bin Ole10Native stream: Ole10Native 603355 bytes
SHA-256: 991097b1b7f663b106ac6dfd4b31c9ca540da358317d6837eac1cf5e71aa6b1b
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_10.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject6.bin 610816 bytes
SHA-256: 151d0a649df6be9d070c7b968a22018fe8b49fdecbd8a6f2bbc90ab2d77270ed
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_10_ole10native_00.bin ole-package OOXML word/embeddings/oleObject6.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: 641bb997131e18b3460230bb7c21b4150b4f6566f14607306fa0ce178d8a6949
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_11.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 610816 bytes
SHA-256: 514ef841b7126a2772ccecb7aeac1ae0bad6f3038fc6b35bf762032b5112e8c8
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_11_ole10native_00.bin ole-package OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: a85ea51f13c724a6affbb1a69df242f4a2affa25a554ef9faf4a5796c5d29e9d
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_12.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject9.bin 610816 bytes
SHA-256: 2b2f2f42a9ac9b118e8f670bf3e3a39023560226a2352bb9d9067a6b9e609f5f
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely
ooxml_oleobject_12_ole10native_00.bin ole-package OOXML word/embeddings/oleObject9.bin Ole10Native stream: Ole10Native 603346 bytes
SHA-256: c506abe433bfcb94ef069b7b8320ca32a2306ea1937653ed4b221f03df8cb1c7
Detection
ClamAV: Win.Trojan.Agent-1246306
Obfuscation or payload: unlikely