Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a07f7c8a17b05b6b…

MALICIOUS

Office (OLE)

65.8 KB Created: 2018-11-07 06:22:00 Authoring application: Microsoft Office Word First seen: 2019-02-10
MD5: 80dcde908b881f8addf1139fea24ffc9 SHA-1: c61c61500042a64fff900f237557f7fd3980587e SHA-256: a07f7c8a17b05b6bf3d00652f8717dd13b66bf436c472cd877978dccb4310e7e
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample contains a heavily obfuscated PowerShell command embedded within the document body. This command is designed to decompress a Base64 encoded string, which is then used to execute further PowerShell commands. The presence of heuristics indicating cmd.exe and PowerShell invocation strongly suggests that this script is intended to download and execute a second-stage payload.

Heuristics 4

  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.