Office (OOXML) / .DOC malware analysis — malicious · 992df82cf31a91ac

MALICIOUS

Office (OOXML) / .DOC

71.6 KB Created: 2022-02-01 04:47:00 UTC Authoring application: 16.0000 First seen: 2022-02-16

MD5: 4d01975268c215fc26ed79ebd17ec22d SHA-1: 64c6752af3632f6f49fd6db091182e753e5d9f80 SHA-256: 992df82cf31a91acd034411bb43a1ec127fa15d613b108287384882807f81764

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell T1105 Ingress Tool Transfer

The sample is an OOXML document containing an embedded OLE object. Heuristics indicate this object is a script dropper that downloads and executes a payload from the URL https://cdn.discordapp.com/attachments/932413459872747544/938291977735266344/putty.exe. The embedded payload is identified as a risky executable file. The document body appears to be a lure, possibly related to official communications, to trick the user into opening the malicious content.

Heuristics 4

Ole10Native package payload is a download-and-execute script critical OFFICE_PACKAGE_SCRIPT_DROPPER

The OLE Package's embedded payload contains a script that hosts a shell (PowerShell/WScript/mshta), fetches a remote resource, and executes it — a download-and-run dropper. Embedding such a script inside an Office document via the Object Packager is a direct user-execution delivery technique (MITRE T1204.002), not a benign attachment.
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cdn.discordapp.com/attachments/932413459872747544/938291977735266344/putty.exe
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `131722bb8405d06b4102febee95b22429e1a67d7cc98cdaaddd8fba8a7bc7a18`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject3.bin	10240 bytes
`ooxml_oleobject_00_ole10native_00.bin` `8e2046758b783e41bf06829f15e414277ac18c4d761a605419cf59df0ee9031e`	ole-package	OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native	864 bytes
`emf_00.emf` `27f73c111b924fdde231b3b61cb92bce7015eb0b6deb7b70964ff7bdc08e942a`	ooxml-emf	OOXML EMF part: word/media/image2.emf	7456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.