Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a010e7ffd51a4738…

MALICIOUS

Office (OOXML)

56.2 KB Created: 2021-03-24 19:10:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-04-10
MD5: 863c3322baf74ecf3a42935bf96f56eb SHA-1: 7470885ef8791cad9bb25cd6d88bde80b4b90e7a SHA-256: a010e7ffd51a4738590c3796afb147e830d81fb50285cd991ee1304e901552a1
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a critical DDE heuristic firing indicating a malicious command. This command decodes to execute PowerShell, likely to download and run a second-stage payload. An external relationship to a template file was also observed, suggesting this document may have been delivered as a spearphishing attachment.

Heuristics 5

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: file:///C:\Users\Acer\AppData\Roaming\Microsoft\Templates\APA style report (6th edition).dotx
  • Field QUOTE with ASCII-integer payload medium OOXML_FIELD_QUOTE_ASCII_PAYLOAD
    QUOTE field in word/document.xml carries an integer sequence that decodes to a printable byte string
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.43.221/download.ps1 OOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasOOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Excel_Worksheet1.xlsx 8918 bytes
SHA-256: f151831da7b1c70648fb45c3b552e48b1be0955a8df7177e00b0669145996fb7

Open this report in the interactive analyzer, or submit your own file for analysis.