Office (OOXML) malware analysis — malicious · da227b9ca6aea222

MALICIOUS

Office (OOXML)

14.1 KB Created: 2019-09-30 22:35:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2020-02-04

MD5: e81cf6727c6364402b65c0ffa77f3cb7 SHA-1: 4c7df90ecb37a0229b18867bdd051b0403658234 SHA-256: da227b9ca6aea222e40da30221ef7e65f1b3f1d52926053dba64f17c2a63cb2e

82 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OOXML document that contains an external OLE object pointing to a remote URL, indicative of an exploit attempt. The heuristic firings specifically mention CVE-2017-8759, a known vulnerability in Microsoft Office that can be exploited via OLE objects to download and execute arbitrary files. The embedded URL is the primary indicator of the malicious payload's location.

Heuristics 3

OOXML OLE2Link remote document — CVE-2017-8759 related high CVE related CVE_2017_8759_RELATED

Document contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT

Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wirelord.us/img/5.Doc In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf`	ooxml-emf	OOXML EMF part: word/media/image1.emf	2532 bytes
SHA-256: `8bdd63b68554a988f5eae76a42f2a83af168955ebdd5f63a4fcc7562f987d67d`

Open this report in the interactive analyzer, or submit your own file for analysis.