Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 d49cd70556c81588…

MALICIOUS

Office (OOXML) / .DOCX

31.3 KB Created: 2018-06-13 17:58:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: c957ba5004bf70f774a5f15c4715aeea SHA-1: f45de56bb5535ab756058b3551f2f07b2bd539a6 SHA-256: d49cd70556c815882ab39d8b256843559e2cd2d12fa91c2d6beda90ca739ac00
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Visual Basic

This OOXML document contains a remote image beacon and external relationships, both pointing to a suspicious URL. The document also employs a macro-enable lure, instructing the user to enable content. This suggests the document is designed to trick the user into enabling macros, which would then likely download and execute a second-stage payload from the identified URLs. The specific URLs are indicative of a phishing or malware distribution campaign.

Heuristics 6

  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: https://ftp.phishing.guru/XV0F3aTBza2dqV085dXludmtCVFFYNmxrYzUxYlZOMnFzUjVjU0ZzbmpsZUtaR20waXdURU8vQ3psM0V6QlluaCtZbEZaT
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://ftp.phishing.guru/XQXh5SzFscS9McE5ZRDE5bzQwLzBRRFFQa244SGxPekxPRUZZZzRydnlYWUVJZ2JhbVJqY0hpZmUyU0ZNWWE0MlRCY3huNW9NaHBPTHVwVncyejdlREEvaXFMUkczR3ZZMXdpZ
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ftp.phishing.guru/XMUg4UWF6WTBQdTlSTWRYaXcweGwrQnl1S3hNTDUzalBkZWZFSnQ4dnQwK3d6dW0xQXYvb0ZpckN5RnJuSzkyM2VRS0NlRnNRQW52T21YOGllYkNRckVBNTJveGFmUlQ5YmloRXJFT293VkFYNVRoNm1jaW5SR01EdDFBPS0tNmRLQ2p2V1hSbW5pN2taRy0tNHNZUytGRkFpQldsV0pFNFVKaExBZz09?cid=2657357803
    • https://ftp.phishing.guru/XTkN4aUZyOHBhYVJYWGZBV3VBRUxuS01iNkw1Qnp5TlhqYTVIUUM4VEE4alR4N2dESFpFQ1pVSHNETHEycER0dDcwbEUyWS81TEQ3cFB0ZFZVWVd6dzNuM2FNSmVPS09jUDM1YXdPQkdrbDJVdWhLN28wQi81V2wyY2hNPS0tK1Z5dW42UnF2VFJ6Z1g3Ui0tTi82bGk3aGZ3NXR6S1pkOEVRemQwdz09?cid=2657357803
    • https://ftp.phishing.guru/XYlhzQ0tLU0J4cGFiZk50NlBRSGl0blM3WlZmU2Ztc2Fvc2lvdW1JWDFtS05tK3lITmNHS0xqM3ZnbzVVT1BsRVI5Y0lCclJmSXdUUU5hVFhLMDh0L1UxNU1TNVNacEN0STNmdFAxYnp2d0xkR2xYbXJrYjYvVDZyd05VPS0tU1ZsRXliTWd5ZUloUnYwMC0tVHczREs0WllxNWVjVzBDMjljYU
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.microsoft.com/office/drawing/2015/10/21/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/9/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/10/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/11/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/12/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/13/chartex
    • http://schemas.microsoft.com/office/drawing/2016/5/14/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/drawing/2016/ink
    • http://schemas.microsoft.com/office/drawing/2017/model3d
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.