Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 ec64908012233e1a…

MALICIOUS

Office (OOXML) / .DOC

471.3 KB Created: 2021-10-04 10:21:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 24a2062151a8e85e520399c543e80c38 SHA-1: 2661dd0ab2df41375c44ea90284dabc160ab710e SHA-256: ec64908012233e1a931ee14a0b10fe8491c1fd8d6fd52e795abbd11d1a800d28
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document exhibits characteristics of an advance-fee scam, including language related to lotteries, prizes, and parcel delivery. It contains multiple embedded OLE objects, which are often used to deliver malicious payloads. While no specific script was extracted, the presence of external hyperlinks and embedded objects suggests an attempt to trick the user into interacting with malicious content or downloading further malware.

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (7) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 7 external hyperlinks — clickable URLs are stored as external relationships. First target: http://www.yahoo.com/
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://www.yahoo.com/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f85eba9ef426cc4142d1d3d3f743e11e7afc15c4a58ec2a17b82c2fac261e2a5		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject9.bin 18944 bytes
ooxml_oleobject_01.bin
7f89c56422bd81adc4ced06ef82659a757638cb181ed294087494f3b52a79451		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 10752 bytes
ooxml_oleobject_02.bin
32b72447dc4bbc9b75224aa4486364ae378a89472ca04b220f90833831e482f4		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 10752 bytes
ooxml_oleobject_03.bin
cc71cdc5586d6daa8672554075f4d37798e082b84475d60b4a52e2f938c47930		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject6.bin 71168 bytes
ooxml_oleobject_04.bin
0891873a7c8f4c95832d1be9102551de625da9f2e2cc7e53455c7f568e5f0f54		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 10752 bytes
ooxml_oleobject_05.bin
d36cf0da526a299f167150da011ec9bf975d0608a43be3fac21d2b1e45451629		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject8.bin 355328 bytes
ooxml_oleobject_06.bin
6d8a34fff9faed520eb6a99094d02a8ccc72c6b1107559b0fbc6a91cc2fa04f4		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject10.bin 5632 bytes
ooxml_oleobject_07.bin
a6a0416953f86e4f4bec85d295e21f7b4446242b50441bf3b425399097b3d1b5		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject4.bin 71168 bytes
ooxml_oleobject_08.bin
3fd019d45bb7cf345d38f60a683bdebb38e64be06e5c9947b927b04607873239		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject15.bin 5632 bytes
ooxml_oleobject_09.bin
32f1ce3f2685930c86e4364009d2387da5d2144cc7843bba26411554e4baf23b		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject12.bin 5632 bytes
ooxml_oleobject_10.bin
e8100349dd706dc1d14599f7cf0693dbb207584a701dacee56cd056fe76740bd		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject5.bin 71168 bytes
ooxml_oleobject_11.bin
16b3d68549c052aaca711b22327906b99aef887cfa6b6605567355eab1bc1a07		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject14.bin 5632 bytes
ooxml_oleobject_12.bin
fd902baa082960480ce2813b41a774e0e65871fe6a8e60ac22e483410b6c52b0		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject11.bin 5632 bytes
ooxml_oleobject_13.bin
d4910e13e5876d5bdc01e8f140fe6d3974f2d365d066bcb4733402c5ac799821		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject7.bin 71168 bytes
ooxml_oleobject_14.bin
805126aa5750b0ce34e020a51417476a6094a29b953e63c6004ec2d31569612e		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject13.bin 5632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.