Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d75d7324c0bde7dc…

MALICIOUS

Office (OOXML)

140.4 KB Created: 2014-09-09 05:02:56 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2016-09-21
MD5: c5575523b77c8a57c2382e6e0d6a7d0f SHA-1: da8d7fc89c7b7154b11bd3339502a0e602600154 SHA-256: d75d7324c0bde7dcc5d5948c3e94cc9d2fee1ddaa07d20c9b386870263af53a0
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The OOXML file contains an embedded OLE object which is identified as a risky file type. This object, named 'putty.exe', is designed to be auto-executable, indicating a likely attempt to deliver a malicious payload to the user. The presence of an embedded executable strongly suggests a malicious intent, likely delivered via spearphishing.

Heuristics 2

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 188416 bytes
SHA-256: cfab8e2b6b76aa710339276ad8547ee5051c29a0b057dda9892a3b47618482e3
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 183296 bytes
SHA-256: 03044a250650150fbb1c8296233b56da381ced276768839eddb37952f57fb5dd

Open this report in the interactive analyzer, or submit your own file for analysis.