Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f0c57b1c1c0124b1…

MALICIOUS

Office (OOXML)

23.3 KB Created: 2021-09-28 16:36:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-10-24
MD5: 6b781c1082014a0177f42e918adb35de SHA-1: d80c27ee42f29e656fbb10befec584ae197bbdf9 SHA-256: f0c57b1c1c0124b12599b8f0c58f428a328f0d24311408f95e63b29648798587
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The OOXML document contains heuristics indicating remote template injection and external relationships, pointing to the download of external content. The document body explicitly instructs the user to 'ENABLE EDITING or ENABLE CONTENT', a common lure to bypass security measures and facilitate the execution of malicious code. The embedded URL 'http://paste.c-net.org/GiovanniKismet' is highly suspicious and likely serves as the source for a secondary payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://paste.c-net.org/GiovanniKismet) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://paste.c-net.org/GiovanniKismet
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://paste.c-net.org/GiovanniKismet Remote template reference
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)