Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bcad2c1c5df0b47f…

MALICIOUS

Office (OOXML)

1.12 MB Created: 2021-01-12 12:42:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-01-23
MD5: 1ef46b357e476be1d189cb2af1057d41 SHA-1: 949d5877608cd56884bac592cd0ae17bbdbf190c SHA-256: bcad2c1c5df0b47faccc542b23cefafd0f8a803bc35c7ec0dd8abf71fa6131e0
82 Risk Score

Heuristics 3

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 6726144 bytes
SHA-256: 76836e5414f21deb944224edb5d3b9a8b1b531b25e9d4a33993d780f3efd297b
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 6671203 bytes
SHA-256: bcbfb7786dc000604b1035eff3c5f11d7713780d2ea6705625f19944d3634adf
ooxml_oleobject_00_ole10native_00_content.exe ole-package-payload OOXML word/embeddings/oleObject1.bin Ole10Native payload: display_name=content.exe; full_path=C:\Users\Supremez\AppData\Local\Temp\content.exe; temp_path=; def_file= 6670648 bytes
SHA-256: 3e43c7f0abac6d80c05dc39c02b687a97a70c761bf1c748a0b3130f4d8a00fda
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5520 bytes
SHA-256: 9936d03e6e8e062a2e902eec3acd4d52f8d9a2320e4c48c49bf78f63e2944815