Win.Trojan.Dorifel-405 — Office (OOXML) malware analysis

Static analysis result for SHA-256 b47de9965aa2788f…

MALICIOUS

Office (OOXML)

617.6 KB Created: 2014-07-07 06:58:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2014-11-01
MD5: f1eefd15c62b8d2413914fd906f03f76 SHA-1: 3bb8d7664ffb3ee0b75d48238aec54b4d01eae86 SHA-256: b47de9965aa2788fdb943e7e0313d3836b8d8b0653413e81ca41418d380ee616
164 Risk Score

Malware Insights

Win.Trojan.Dorifel-405 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as Win.Trojan.Dorifel-405 by ClamAV, indicating a known malicious trojan. It contains an embedded OLE object which, based on heuristic analysis, likely hosts a payload. The document body suggests the user must download the file to view it properly, a common social engineering tactic to bypass security controls and execute embedded malware. The embedded OLE object likely contains shellcode designed to download and execute a second-stage payload from the identified URLs.

Heuristics 5

  • ClamAV: Win.Trojan.Dorifel-405 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dorifel-405
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Payload URL recovered from embedded OLE object (5 URLs) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.thawte.com0 In document text (OOXML body / shared strings)
    • http://ts-ocsp.ws.symantec.com07In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://crl.thawte.com/ThawteTimestampingCA.crl0In document text (OOXML body / shared strings)
    • http://ts-aia.ws.symantec.com/tss-ca-g2.cer0In document text (OOXML body / shared strings)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0In document text (OOXML body / shared strings)
    • http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(In document text (OOXML body / shared strings)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 678912 bytes
SHA-256: 957e877c950df0229ce8189a5564a366985fccfb10c484dff96d0b8782decdce
Detection
ClamAV: Win.Trojan.Dorifel-405
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_STR_GETPROCADDRESS, SC_STR_SHELLEXEC, SC_GETPC_CALL Static shellcode analysis recovered API/import strings: kernel32.dll, advapi32.dll, shell32.dll, KERNEL32.DLL, ADVAPI32.DLL, GetProcAddress Carved artifact entropy is 7.99, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5380 bytes
SHA-256: 07cf8c81c3836f19cb781511b7b5b705ba81b233218f2214740d309eb5ffb724