Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c6c3678d8e6f715e…

MALICIOUS

Office (OOXML)

2.18 MB Created: 2018-04-23 02:07:47 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2019-12-10
MD5: cca8b5e5855698c72b41e6b8ef2e090f SHA-1: 04a0e15f38f43f435b9fc1ce5a6679f150412bea SHA-256: c6c3678d8e6f715eda700eec776f75d1b733cab9757813cff4e206581ed8349f
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample contains an external relationship pointing to a script hosted on 'http://moffice.mrface.com/office.sct'. This script is likely intended to be downloaded and executed, potentially leading to further malicious activity. The presence of an external object relationship strongly suggests an attempt to bypass security controls and execute remote code.

Heuristics 4

  • MSHTML-style external object relationship critical CVE related OFFICE_MSHTML_EXTERNAL_OBJECT
    External relationship to script:http://moffice.mrface.com/office.sct — exploitable MSHTML/CAB/MHTML/HTA-style Office attack surface
  • External relationship high OOXML_EXTERNAL_REL
    External target in ppt/slides/_rels/slide1.xml.rels: script:http://moffice.mrface.com/office.sct
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: file:///C:\Users\John\Desktop\7z1801-x64.exe
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moffice.mrface.com/office.sct Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.