Office (OOXML) / .DOC malware analysis — malicious · ffa22c40ac69750b

MALICIOUS

Office (OOXML) / .DOC

17.2 KB Created: 2022-06-07 11:31:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-06-08

MD5: 8e6b59d8e6f3e95d66b495d2df945832 SHA-1: 9c5dbfa7f70cf5151ee706598f5434b1e13d64a4 SHA-256: ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb

222 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1204 User Execution

The sample leverages the CVE-2022-30190 vulnerability, also known as Follina, by embedding an external OLE object. This object is designed to fetch and execute content from the URL https://garmandesar.duckdns.org:444/uoqiuwef.html. The heuristic firings strongly indicate exploitation of this vulnerability, leading to the download of a secondary stage. The document body, though truncated, appears to be a security awareness memo, likely serving as a lure.

Heuristics 6

CVE-2022-30190 — Follina stage-1 external HTML oleObject critical CVE likely CVE_2022_30190

External OLEObject relationship targets a remote .html with the Follina delivery shape (oleObject -> HTTP(S) HTML with trailing Moniker '!'). In live Follina samples the ms-msdt: trigger is served by the remote HTML, not the document itself.
OOXML OLE2Link remote loader — CVE-2017-0199 related high CVE related CVE_2017_0199_RELATED

Document contains an o:OLEObject Type=Link whose external oleObject relationship points to a remote URL. This is the OOXML OLE2Link activation shape associated with CVE-2017-0199 delivery, but the local file does not expose URL Moniker bytes or a weaponized extension/content type, so the exact CVE cannot be proven statically.
ClamAV: Win.Exploit.CVE_2022_30190-9951234-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Exploit.CVE_2022_30190-9951234-1
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECT

Document contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.microsoft.com/office/word/2015/wordml/symex
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
- http://schemas.microsoft.com/office/word/2010/wordprocessingInk
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.microsoft.com/office/word/2010/wordprocessingShape
- https://garmandesar.duckdns.org:444/uoqiuwef.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `5f5e9f0ae88c06e81cc34c036bf40fc37f1257bed7b72474108d29b62f9f06e8`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/oleObject1.bin	111104 bytes
`ooxml_oleobject_00_ole10native_00.bin` `46c738c59278047c7aa84ce1914147af0147735d8bb3fe973eb143e57e66fea5`	ole-package	OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	107428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.