Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 0307fb6077892577…

MALICIOUS

Office (OOXML) / .DOC

225.2 KB Created: 2025-09-24 01:06:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: e62b0f283b2d8f1eaf08ec2bea27d671 SHA-1: b57f97381786da51918f7b73041046876ae5e47f SHA-256: 0307fb607789257742278ba79602124a4eace8c82547462aba24857914849aaa
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document contains heuristics indicating remote template injection and an embedded OLE object, suggesting an attempt to execute external code. The suspicious URL 'https://ln24.ir/n2KJQK' is likely used to host or retrieve a secondary payload. The presence of these elements strongly points towards a malicious document designed to compromise the user's system.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://ln24.ir/n2KJQK) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://ln24.ir/n2KJQK
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ln24.ir/n2KJQK
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f91df639fe6347bd4b8a18b8720318a33fcbbf668520654055d66f69b61c4f35		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 1066496 bytes
emf_00.emf
b645b7d4c27c44ca33d7b114e13cf758137f3e494a784eddac250566b45e1b06		 ooxml-emf OOXML EMF part: word/media/image1.emf 635768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.