Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 dcf3b747d514dcf6…

MALICIOUS

Office (OOXML)

358.3 KB Created: 2015-07-20 04:19:00 UTC Authoring application: Microsoft Office PowerPoint 12.0000 First seen: 2015-09-21
MD5: 22f13f799d6ca359b5621835e5344dd0 SHA-1: 338fef6b947fe27253769559d61512ea94dd1016 SHA-256: dcf3b747d514dcf646db9f20a86ca3d29bd68018fe1f59859c747c3df7998ab5
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a PowerPoint document containing an embedded OLE object. This object is identified as an 'Ole10Native package' that drops an executable file named 'Powerpoint.scr'. ClamAV detections on both the main file and the extracted artifact confirm its malicious nature, likely as a downloader or dropper for further malware.

Heuristics 3

  • ClamAV: Win.Malware.Vbkryjetor-6622845-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Vbkryjetor-6622845-0
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: ppt/embeddings/oleObject1.bin 506368 bytes
SHA-256: fb0ab5d7c01e9fd18307dc0ca08bf1a68503abc21c47b3d8047e6f0028e48177
Detection
ClamAV: Win.Malware.Vbkryjetor-6622845-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 500081 bytes
SHA-256: 248755b8fce275ea005a5c137afbd29fcb9a5c23e324551fa2c0074e936273d2
Detection
ClamAV: Win.Malware.Vbkryjetor-6622845-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.