Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 a84e48dcaaff6bc6…

MALICIOUS

Office (OOXML) / .DOCX

274.4 KB
MD5: 3e2b6098d300a0a15f499f665dd4c1a9 SHA-1: a1797862e243803561d379b8a6179fddfc8dbb22 SHA-256: a84e48dcaaff6bc661f220353ba68a694c91e2cdd1de1ef16aa6424b19cfd092
342 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information T1137.003 DLL Side-Loading T1204.002 Malicious File

The OOXML document contains an altChunk that imports an RTF file named 'Azerbaijan.rtf'. This RTF file contains an OLE object that is configured to auto-update, which is a strong indicator of malicious intent. The RTF file itself contains excessive hex data and a PE header, suggesting it is an embedded executable. This mechanism is commonly used to deliver and execute a secondary payload.

Heuristics 9

  • Composite Moniker in RTF OLE object high CVE related RTF_COMPOSITE_MONIKER_RELATED
    (in altChunk RTF word/Azerbaijan.rtf) RTF contains Composite Moniker CLSID in OLE object context, but no nearby scriptlet/SCT payload was confirmed. Treat as related moniker attack-surface evidence rather than proof of CVE-2017-8570 exploitation.
  • altChunk imports embedded RTF (RTF injection) critical OOXML_ALTCHUNK_RTF
    Document inlines an embedded RTF via an aFChunk relationship and a <w:altChunk> body element. This is the canonical RTF-injection wrapper used to smuggle RTF exploits (Equation Editor / URL Moniker / objdata) past DOCX-only scanners. Word opens the wrapper and executes the RTF inline. Recursing into the RTF for the exact exploit primitive.
  • PE header (with DOS stub) in hex data critical RTF_MZ_HEX
    (in altChunk RTF word/Azerbaijan.rtf) Hex-encoded PE (MZ + DOS stub) found inside RTF — likely an embedded executable payload
  • altChunk RTF auto-updates embedded executable object critical OOXML_ALTCHUNK_RTF_AUTOUPDATE_PE
    OOXML document imports an embedded RTF through altChunk; the RTF contains OLE object data, forces object update, and carries a hex-encoded PE payload. This is a stronger compound exploit-loader shape than a generic altChunk RTF wrapper, but it is not tied to a single CVE unless the nested RTF object primitive also matches one.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    (in altChunk RTF word/Azerbaijan.rtf) RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • Large hex data blocks in OLE object high RTF_EXCESSIVE_HEX
    (in altChunk RTF word/Azerbaijan.rtf) RTF contains ~1049KB of hex-encoded data inside \objdata sections — may hide a payload
  • OLE object data medium RTF_OBJDATA
    (in altChunk RTF word/Azerbaijan.rtf) RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    (in altChunk RTF word/Azerbaijan.rtf) RTF contains \objemb — embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://opendope.org/xpaths
    • http://opendope.org/conditions
    • http://opendope.org/questions
    • http://opendope.org/components
    • http://opendope.org/SmartArt/DataHierarchy
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/schemaLibrary/2006/main
    • http://schemas.openxmlformats.org/drawingml/2006/chart
    • http://schemas.openxmlformats.org/drawingml/2006/chartDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/diagram
    • http://schemas.openxmlformats.org/drawingml/2006/picture
    • http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing
    • http://schemas.microsoft.com/office/drawing/2008/diagram
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography
    • http://schemas.openxmlformats.org/drawingml/2006/compatibility
    • http://schemas.openxmlformats.org/drawingml/2006/lockedCanvas

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off00022ce6.bin
011dd4ac173e90140dfc0d0c68d5774b6f48b6589bc9123bf2a4dac34f8166dd		 rtf-objdata-decoded RTF \objdata at offset 0x22CE6 496210 bytes
objdata_01_off001209bc.bin
56684de9a3a82fd5fe392f331efb0aef7d8f1ca301483bc8e8af8263a6e0e72b		 rtf-objdata-decoded RTF \objdata at offset 0x1209BC 534490 bytes
rtf_svb_00002c19.zip
d39b64319316e088a3b732b0bbaad03692be6c735566f33d475288af16e459ea		 rtf-svb-package RTF \svb hex-decoded ZIP at offset 0x2C19 8890 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.