Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ab533d6ca0c2be88…

MALICIOUS

Office (OOXML)

37.1 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-25
MD5: 87a20b16fb3b87f76cbeb5ae80ea97dc SHA-1: 0ad5ff08e5178116fb40ffc288242867abb7ee86 SHA-256: ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML file containing an embedded OLE object, identified as an Equation Editor object. This object likely exploits a vulnerability to execute code, and a heuristic indicates it contains a payload URL. The URL http://192.3.31.212/AMANICRYPTED.exe is extracted, suggesting the document's purpose is to download and execute a secondary payload.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.3.31.212/AMANICRYPTED.exe In document text (OOXML body / shared strings)

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 12800 bytes
SHA-256: 9c2332ef852e8f2f461584bc001e84b2115f9de2e240e5bc5283a52418885d6a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell" ) Carved artifact contains 2 shell/COM execution token(s).
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 9974 bytes
SHA-256: 18652e28e72dd6c2a152309e4d3202db194860d552220e001cb40be75783d442
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell" ) Carved artifact contains 2 shell/COM execution token(s).
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3072 bytes
SHA-256: f93221a86e5d9b84d775b474275fdc09bad8975efac45c80713c12645f4f47c0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 827 bytes
SHA-256: 4be6888b59b0fb33e026d80233be7ce78a8a577dc699bdd2121220058ce8f5cc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): Wscript.Shell");
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 5936 bytes
SHA-256: 76d893e9c370a246958ec10157ca93b01721262be72e5bbcae907efdc7e944b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): cmd /c ren %tmp%\yy y.js&cscript %tmp%\y.js  C
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4968 bytes
SHA-256: 979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 1536 bytes
SHA-256: 4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f

Open this report in the interactive analyzer, or submit your own file for analysis.