Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 be4cc9fdd9ed4def…

MALICIOUS

Office (OOXML)

11.3 KB Created: 2021-07-08 06:56:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: cdb0c8361219b176a24868e5b093126b SHA-1: 70102d3433a222389553559c5563061200d8a860 SHA-256: be4cc9fdd9ed4def083c1c55fdf48fa2e05592f12d3858b6fe1d064769a5f513
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic firing indicates a malicious DDE command was embedded within the document. This command, 'DDEAUTO c:\windows\system32\cmd.exe /k mspaint.exe', is designed to execute cmd.exe and subsequently launch mspaint.exe, likely as a precursor to further malicious activity. This technique is commonly used to bypass security controls and achieve arbitrary code execution.

Heuristics 2

  • Malicious DDE command critical OOXML_DDE_MALICIOUS
    DDE field in word/document.xml launches a dangerous executable: \\system32\\cmd.exe
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.