Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bab1bbc8bb70fb0c…

MALICIOUS

Office (OOXML)

13.9 KB Created: 2021-07-20 16:09:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-09-18
MD5: cfeffecba082ca141193bbf1e927e303 SHA-1: 4139adb5a3283075f3b94681949c4862901d5803 SHA-256: bab1bbc8bb70fb0c182f57e58ebb9e438e5b13239893b125a973d3df509decef
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample contains a critical heuristic firing for a malicious DDE command. This command, embedded within the document body, attempts to execute PowerShell to run calc.exe. This indicates an attempt to leverage Dynamic Data Exchange for arbitrary command execution, likely as a precursor to a more malicious payload. The use of a DDE AUTO command suggests an attempt at initial execution upon document opening.

Heuristics 2

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: powershell
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.