Office (OOXML) malware analysis — malicious · ab149bb2ea961c0a

MALICIOUS

Office (OOXML)

32.2 KB Created: 2014-09-09 05:02:56 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2019-08-04

MD5: 54328a0edee79296ffca7d5d5440ad18 SHA-1: b9b1a7eb3e9c761665276cf6b2c52f6322739c84 SHA-256: ab149bb2ea961c0a07a2f734b4eb495307637be7f2f6aa122f7b18b442b989eb

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains critical and high severity heuristics indicating the presence of external OLE and MSHTML objects. These objects point to a remote URL, http://i876edw4e5f6tg78hy9tg7r6ftgiy8.erlivia.ltd/black.hta, which is likely intended to be downloaded and executed. This suggests the file acts as a dropper for a secondary payload.

Heuristics 3

MSHTML-style external object relationship critical CVE related OFFICE_MSHTML_EXTERNAL_OBJECT

External relationship to http://i876edw4e5f6tg78hy9tg7r6ftgiy8.erlivia.ltd/black.hta — exploitable MSHTML/CAB/MHTML/HTA-style Office attack surface
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT

Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://i876edw4e5f6tg78hy9tg7r6ftgiy8.erlivia.ltd/black.hta In document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.