Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b9c18a3c87530d75…

MALICIOUS

Office (OOXML)

29.7 KB Created: 2017-09-29 02:54:17 UTC Authoring application: Microsoft Office PowerPoint 14.0000 First seen: 2017-11-20
MD5: aa1bcaa3843abb96336c35d6146f7528 SHA-1: 84d4d25ca8c219f3b93ed7048cd03a6ccd0c6813 SHA-256: b9c18a3c87530d75907c39cf9dc7ec977033653dfcc864aef2e23cf26f785ae8
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains heuristics indicating the presence of an external OLE object pointing to an HTA file. This HTA file is hosted on the IP address 97.64.28.21. The document likely attempts to trick the user into downloading and executing this HTA file, which is a common method for delivering malicious payloads.

Heuristics 3

  • MSHTML-style external object relationship critical CVE related OFFICE_MSHTML_EXTERNAL_OBJECT
    External relationship to http://97.64.28.21/web/01.hta — exploitable MSHTML/CAB/MHTML/HTA-style Office attack surface
  • External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT
    Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://97.64.28.21/web/01.hta In document text (OOXML body / shared strings)