Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ba14f125c788a163…

MALICIOUS

Office (OOXML)

905.4 KB Created: 2020-07-12 10:32:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2021-06-20
MD5: d3ac29041a34657fe6a827c32778655d SHA-1: fe1e11fab6b354292d8fe47fc1088330e0d7a88b SHA-256: ba14f125c788a163b51b8da2ee02e5fb125d10a9bf7bb0e01dbf59e74b5fc7b4
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains an embedded OLE object and a remote image beacon pointing to 'https://mailsigning.pythonanywhere.com/api?req=mmlamb'. It also includes an external hyperlink to 'http://www.27001-online.com/?_src=_popwnd'. The document body discusses greenhouse gas emissions, a common lure for phishing or malware delivery. The presence of these indicators suggests an attempt to trick the user into interacting with malicious content.

Heuristics 6

  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: https://mailsigning.pythonanywhere.com/api?req=mmlamb
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (6) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 6 external hyperlinks — clickable URLs are stored as external relationships. First target: mailto:http://www.27001-online.com/?_src=_popwnd
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://compareyourfootprint.com/wp-content/uploads/2018/11/scope-1-2-3.jpg OOXML external relationship
    • http://www.27001-online.com/?_src=_popwndDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://www.privacyshield.gov/In document text (OOXML body / shared strings)
    • http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htmIn document text (OOXML body / shared strings)
    • https://mailsigning.pythonanywhere.com/api?req=mmlambOOXML external relationship
    • http://schemas.microsoft.com/office/2006/encryptionIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 795648 bytes
SHA-256: f3850b6a9e7b4efc75cfbe234652b7ba61277679d21beed4d8c988a6be1d022f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 786762 bytes
SHA-256: 5685883e9bf8beba078dcb9344a61572f76ca4774e69886e876ef640fa6cb7e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: word/media/image2.emf 5048 bytes
SHA-256: e5232fd40688feb50eda596e3d025baece6b7b99f17a444b562736d73ae4fec5

Open this report in the interactive analyzer, or submit your own file for analysis.