Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fbe6bada632f990f…

MALICIOUS

Office (OOXML)

126.3 KB Created: 2017-10-30 19:42:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2017-11-13
MD5: 3c24fe7970fc00732ff4f5cfd6a9df08 SHA-1: c4ae2fd29584c220186cc5e26b178aaf5ebc4635 SHA-256: fbe6bada632f990fedad3a3382f94daca9bf32ecfc2a2a3e997a6b89829383b2
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious due to the presence of an embedded OLE object containing executable content, specifically indicated by the 'CVE_2026_21514' heuristic. This object likely serves to download and execute a secondary payload from the URL http://aurea-art.ru/eiuhf384. The ClamAV detection 'Img.Dropper.PhishingLure-6362648-0' further supports its malicious nature as a dropper for phishing lures.

Heuristics 6

  • ClamAV: Img.Dropper.PhishingLure-6362648-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Img.Dropper.PhishingLure-6362648-0
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aurea-art.ru/eiuhf384 In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4608 bytes
SHA-256: 6f22646f41c41e9a85b1cb011d86370dbc15a49c839c2864fb010bb2e72ea61d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): powershell.exe, PowerShell\v1.0\powershell.exe
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1988 bytes
SHA-256: d18821e233485b2d7f760387ff4e2714fa607038b0ae951be947d4a77fba1099
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): powershell.exe, PowerShell\v1.0\powershell.exe
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 5372 bytes
SHA-256: be620c46bd7a9ef924f8581ded4206ec22801d4c9705f0f3d194008f0129f443

Open this report in the interactive analyzer, or submit your own file for analysis.