Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b92ab448b0492ccb…

MALICIOUS

Office (OOXML)

844.8 KB Created: 2014-12-12 13:58:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-03-15
MD5: dec3cd62bc170e7eeac155ca593c64d9 SHA-1: a2e2b488cbdfd8f7afadb41e21f9f58cf04fffdb SHA-256: b92ab448b0492ccb87943b69718d6b1d1828401ab9087c42723a945ca36f5a36
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1027 Obfuscated Files or Information

The sample is a malicious Office document containing embedded OLE objects. One heuristic indicates that an 'Ole10Native' package drops an auto-executable payload named 'abuser1337.scr'. This suggests the document is likely a lure to trick the user into opening it, leading to the execution of a malicious screen saver file.

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 285184 bytes
SHA-256: 81b1e3d3599b5defa47dc6556855d719e23a4595e1531914e8ee572c25a83ee5
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 280373 bytes
SHA-256: 18afceb5f2924c266c028892a41370b1442c47e985eba38008ab2b73be621e80
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject5.bin 285184 bytes
SHA-256: e8e35181655062fa829ed81dfddc5134dee28236c216368b49ea7c14bcc6394c
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML word/embeddings/oleObject5.bin Ole10Native stream: Ole10Native 280352 bytes
SHA-256: a953f1395ca6afc7950f073c786b2713f9b7e6dffa9060f514da51f835063fc3
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject4.bin 285184 bytes
SHA-256: f14c0e36d7f5ec27b4455c879c4f2810704ef4c5b208d1aeeb6e410150d4d6a6
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML word/embeddings/oleObject4.bin Ole10Native stream: Ole10Native 280334 bytes
SHA-256: 20dee08eac7018ffa37d93ab71b6b163e126d01c18a34382f9876fb12f215c90
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 285184 bytes
SHA-256: 23b7fb9edde0bf36b1f7d89c57afa5871faea5f056c4cbd0e3881969b3905ab2
ooxml_oleobject_03_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 280364 bytes
SHA-256: 79584630032de0d76450ea4578599633d414c786b3a9f9a5a1bece62d6502f58
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 285184 bytes
SHA-256: e9938406203006bddb3c6a86709ae85c7a337ad24e3f699e08820a0864dff8bb
ooxml_oleobject_04_ole10native_00.bin ole-package OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 280400 bytes
SHA-256: 1fa0eefd5e46e373f92759f76d54a45917489894c714552d6911267b08cff70a
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5016 bytes
SHA-256: 94debb0a77c23c35a66878ece76388dc4d5c1b0e1df656e7250eef303300f3db
emf_01.emf ooxml-emf OOXML EMF part: word/media/image4.emf 5060 bytes
SHA-256: 5a5c0c676c7d1aa7797225b8e1b259a4352d8f4212ecd668298b378c79287f01
emf_02.emf ooxml-emf OOXML EMF part: word/media/image5.emf 5084 bytes
SHA-256: 1f40bf6b03e9abfe06f6746eb2882be7fcee7a8506a3416e10933f8752645f36
emf_03.emf ooxml-emf OOXML EMF part: word/media/image3.emf 5036 bytes
SHA-256: 690bd839c723a9dcadaa961ead9515751d44b87211d95603210d5f55700be671
emf_04.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5012 bytes
SHA-256: 9d2dbc166a7f248c16bf5489e6e3e444aa875e21536cf94d078d042607534630