Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9a52eafa348ec11…

MALICIOUS

Office (OLE)

25.5 KB Created: 2018-06-25 22:29:34 Authoring application: Microsoft Excel First seen: 2019-01-31
MD5: 15775ea7d412df7520a368a54237d426 SHA-1: 8518268c5764e2bbf25cf20079b0dc2810e0527e SHA-256: f9a52eafa348ec1153c9f798cf6de8f527e84d3b020dfa213220eaf9f6e35957
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The Excel document contains a lure to enable content, followed by instructions to copy and paste commands into a shell. These commands reference Wscript.Shell and bitsadmin, indicating an intent to download and execute a second-stage payload from the embedded URL http://rroun-nourr.ga//files/scan_copy.exe. The heuristic SE_CLIPBOARD_COMMAND_LURE directly supports this finding.

Heuristics 5

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Reference to bitsadmin (download) high SC_STR_BITSADMIN
    Reference to bitsadmin (download)
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rroun-nourr.ga//files/scan_copy.exe In document text (OLE body)