Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f6eb7584ef986783…

MALICIOUS

Office (OOXML)

5.73 MB Created: 2014-08-19 07:24:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2015-01-15
MD5: 482db8bdada803b947113ba1b2f0d9ec SHA-1: 86ceda5c95ec362a3089ef7fe4190415a9b97d47 SHA-256: f6eb7584ef986783262eaaca5ecd3fb11bbf6435a02ed2b96822e1673f18303c
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OOXML document contains embedded OLE objects that are configured to drop and execute a payload, identified as 'img8.scr'. The document body attempts to lure users by offering free Steam accounts, suggesting a social engineering tactic to encourage interaction with the malicious content. The embedded OLE object is a critical finding, indicating the primary mechanism for delivering the malicious payload.

Heuristics 4

  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • https://steamcommunity.com/profiles/In document text (OOXML body / shared strings)

Extracted artifacts 28

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject8.bin 609280 bytes
SHA-256: 204d7b279e17c224062fe3aa1f532c0006e1520f3f9a2c8eb482bb0f434eb711
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject8.bin Ole10Native stream: Ole10Native 601822 bytes
SHA-256: c95d76a46fc00253df5a8b50709160eaf2e684e4929bf7fc26e5b9029a76b3da
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject4.bin 609280 bytes
SHA-256: 2270e8662efb6769df0fda4d048394ab983d0eb0f0ae2f842c23fb96f0ab28fa
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML word/embeddings/oleObject4.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: 8d3fa8c1647385458ea2f6fe14308ba9b3dd07d078ae911904ff488c2974817d
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject12.bin 609280 bytes
SHA-256: 7a65efa0b82179a51fe7db9c0114bfe5333f404000c25445d4ec3b283ad4bccc
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML word/embeddings/oleObject12.bin Ole10Native stream: Ole10Native 601819 bytes
SHA-256: b113540375810138eb253facc002fc3b6c32fa65c3ecbbb0fb90fbdee94699f1
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 609280 bytes
SHA-256: 31d347afda5f11a94eb8cfef768d91b1092effd586adf8f9f8ee0f92d7b60f71
ooxml_oleobject_03_ole10native_00.bin ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: b20733da0eac3f67f59420debbac7cc35c9d424901ff3fb7b981decb87212647
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject13.bin 609280 bytes
SHA-256: 8b74298cfd4ba899d471d6bae15903e98dffb51b1e55eaa54c06f8d68b585fa9
ooxml_oleobject_04_ole10native_00.bin ole-package OOXML word/embeddings/oleObject13.bin Ole10Native stream: Ole10Native 601819 bytes
SHA-256: 9599dd2ece2040ec16f3c0163ac1737d35c43ceba2e5c909ce8a5e60b91ea0f5
ooxml_oleobject_05.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject6.bin 609280 bytes
SHA-256: c81c28df7e580a0d254c81b6ede535ae87bfe4259aa637d9bdb5623cb1b43e69
ooxml_oleobject_05_ole10native_00.bin ole-package OOXML word/embeddings/oleObject6.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: 3be4e7ed5177a08e483b498e33d9f33bfc6d0d999a42c2b957f40693d3b869bf
ooxml_oleobject_06.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject11.bin 609280 bytes
SHA-256: 669a30d6298d4b3002712efa9a6161348f137311aaa62b07617a3e8937d30c56
ooxml_oleobject_06_ole10native_00.bin ole-package OOXML word/embeddings/oleObject11.bin Ole10Native stream: Ole10Native 601819 bytes
SHA-256: eb1a221efae499b7f50e620b54b4115b5ad3d172958b877af8ce74da8ea273cd
ooxml_oleobject_07.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject14.bin 609280 bytes
SHA-256: 463c6f074b4518628f4f3c37b5319a7a54dc7912ef547bbb78fc565a88a496b1
ooxml_oleobject_07_ole10native_00.bin ole-package OOXML word/embeddings/oleObject14.bin Ole10Native stream: Ole10Native 601819 bytes
SHA-256: 7fa91d9097a6934fa6a308a240bc4d01fa455520fee908b10cd2cd83ed6a7efd
ooxml_oleobject_08.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 609280 bytes
SHA-256: f23552fb2b0097dd1f1ba4db067a768654b193a175e6d2ee747fdaf23b8cf008
ooxml_oleobject_08_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 601822 bytes
SHA-256: 0627701498bcef3e884ccfc9d9046de2b28fd876773a4a0cdd9cc4dfad43f0d5
ooxml_oleobject_09.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject7.bin 609280 bytes
SHA-256: a69425706f55a959b320e407af569bf706bcc82c3efb35926f03d72d34a6f860
ooxml_oleobject_09_ole10native_00.bin ole-package OOXML word/embeddings/oleObject7.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: ef8cffd4549be8f0e6833dba9bd73e3cf25fe8b067638493666bdbfeced68ec7
ooxml_oleobject_10.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 609280 bytes
SHA-256: 010f8a0c6ed1b3d5bf31dc5481dc02827fff3cb5ab2bc6dab77298e47da3ffc4
ooxml_oleobject_10_ole10native_00.bin ole-package OOXML word/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: c23879c530bb70dfdb3d85b76b7de4c97a54e4872b44a8d2a1f461d41682c7ed
ooxml_oleobject_11.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject10.bin 609280 bytes
SHA-256: e1689263447708287b8089adcad906c02d1c845435673de5cc47b89bc8e57afb
ooxml_oleobject_11_ole10native_00.bin ole-package OOXML word/embeddings/oleObject10.bin Ole10Native stream: Ole10Native 601819 bytes
SHA-256: 547e773c2e01a92b469debaa72ef51b34e8f479782bdddb58e53a675830e1c58
ooxml_oleobject_12.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject5.bin 609280 bytes
SHA-256: b22ec44fa467821ffb812f9c23ec5514caa84f199b513bca374bf0a2f8a1e289
ooxml_oleobject_12_ole10native_00.bin ole-package OOXML word/embeddings/oleObject5.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: 514301c8d63cf7f183e8d7aca194466c1586f078e10062dd5e7f7d2ad20bd4db
ooxml_oleobject_13.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject9.bin 609280 bytes
SHA-256: 4bcf2b32268373f66a0f00a4797e451506f86b858615c21fb23e13c4b5836a2d
ooxml_oleobject_13_ole10native_00.bin ole-package OOXML word/embeddings/oleObject9.bin Ole10Native stream: Ole10Native 601810 bytes
SHA-256: d15706871cd15c6891cba1425e10c6115ed2187af81ebc56ecf9d453de511117

Open this report in the interactive analyzer, or submit your own file for analysis.