Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ab60291dcde454d4…

MALICIOUS

Office (OOXML)

152.2 KB Created: 2021-06-08 08:35:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-06-20
MD5: de6df92949bc60d017dd976df3e72486 SHA-1: b481123647f699482bdf7a361ac35120c33594bd SHA-256: ab60291dcde454d4c69bbfe9c0de4cc743addff3f2a1c114e4933ac2527c4ce6
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample leverages the CVE-2017-0199 vulnerability, indicated by the 'OOXML_EXTERNAL_OLE_OBJECT' and 'CVE_2017_0199_RELATED' heuristics. This vulnerability is used to fetch and execute a secondary payload from the URL http://bit.do/fQ2h9. The document's content is minimal and likely serves as a lure for the exploit.

Heuristics 3

  • OOXML OLE2Link remote loader — CVE-2017-0199 related high CVE related CVE_2017_0199_RELATED
    Document contains an o:OLEObject Type=Link whose external oleObject relationship points to a remote URL. This is the OOXML OLE2Link activation shape associated with CVE-2017-0199 delivery, but the local file does not expose URL Moniker bytes or a weaponized extension/content type, so the exact CVE cannot be proven statically.
  • External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT
    Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bit.do/fQ2h9 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 28748 bytes
SHA-256: eea66eebfcc9e54bbee490cdaae76fb80599683afba1489123482cca1435a52d