Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b483b2b344464a87…

MALICIOUS

Office (OOXML)

863.4 KB Created: 2010-09-09 06:37:19 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2018-10-07
MD5: 584e8224fdbcff7a4496a19e52d22c1e SHA-1: 5fcc180e4ad3de7d72bf19db99f207adcecc2aab SHA-256: b483b2b344464a87dc147bf4c339dfc889abf643797fd9f11b6177fc9448b401
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing embedded OLE objects and an external relationship pointing to an Excel file. The document body text discusses personnel profiles and department status, which could serve as a lure for the embedded malicious content. The presence of embedded OLE objects suggests an attempt to execute code or exploit vulnerabilities when interacted with.

Heuristics 3

  • External relationship high OOXML_EXTERNAL_REL
    External target in ppt/charts/_rels/chart2.xml.rels: file:///C:\Work\Solutions\Document Support\Audit Committee Presentation\Versions\Graphs & Graphic.xlsx
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject2.bin 41472 bytes
SHA-256: 3147991ddc0fad5f60e8fa241edaf2bfd4cdf9f2e3e939b15ebbccf6b2e76d19
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 47104 bytes
SHA-256: 48e499f4ffbd77ff948222b19133c38632cfb3e2cc070a087faba2d61268bbdf
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 38912 bytes
SHA-256: 353740c82d0c238181be9000ba31e715b4f6ffbd73c5de9e72dc664a68baf7d7
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 7674 bytes
SHA-256: 27a11e42b606eee1965dbb4fdc686b67fe8877f32ab0fdb02239248ff0a04eeb
emf_00.emf ooxml-emf OOXML EMF part: ppt/media/image8.emf 153148 bytes
SHA-256: 06cae6a69b57e2dc3bc0e5f3fadcfb9546f4a8fe1a55c2235e262333dec85540
emf_01.emf ooxml-emf OOXML EMF part: ppt/media/image9.emf 11548 bytes
SHA-256: 8b8d80a8c68416c4a4b0727f01f5ae72d1ffba203d170910afa50cc12796c085
emf_02.emf ooxml-emf OOXML EMF part: ppt/media/image6.emf 150928 bytes
SHA-256: 4221f8e64a7d9a34d86be146d0d2cbca9df855a9c14d2bf9371b1faff631e42b
emf_03.emf ooxml-emf OOXML EMF part: ppt/media/image7.emf 188068 bytes
SHA-256: 41bad9b2df6a94c9ef6b4a70d758fa744679d0ca89389add06be3c7d5554338e
emf_04.emf ooxml-emf OOXML EMF part: ppt/media/image11.emf 57676 bytes
SHA-256: 4483826dbf6dbaeb2baed9609f7f38ad3f1bf84f664e1f7e1069a9d48e5a4746
emf_05.emf ooxml-emf OOXML EMF part: ppt/media/image10.emf 58664 bytes
SHA-256: 62c541fae238bc05328e43e6c502122b603b61e4b55bdc5b0dd9c81a60b8394a

Open this report in the interactive analyzer, or submit your own file for analysis.