Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 04905215bfd86fab…

MALICIOUS

Office (OOXML)

23.1 KB First seen: 2021-05-29
MD5: 29b71586c4057dfdfe8009d79d45dfb9 SHA-1: 7f83f9f814cd1b5c6d711e415cef9b90e1518107 SHA-256: 04905215bfd86fabaf0ffc950f16d312626360b408fa334681cb0599ad387c82
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OOXML_ALTCHUNK_OPAQUE heuristic indicates that the document attempts to import external content, likely to download a secondary payload. The presence of remote image beacons and external relationships pointing to the same domain further supports this. No scripts were extracted from this sample, but the external URLs suggest a downloader or exploit delivery mechanism.

Heuristics 4

  • altChunk imports unrecognised content high OOXML_ALTCHUNK_OPAQUE
    altChunk relationship resolves to a packaged part whose content does not match a known chunk format. Treat with suspicion — altChunk is rarely used outside RTF/HTML smuggling.
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: https://www.doctricant.com/eur?id=eWUvLy91K0pVZ0krdjZ1TjJmUllUVUZoZDBubUkreTY1SCtnd3FoS2ZyV0JsZCtOL0hXK2hmQ2llTTJ4bWNGSG
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.doctricant.com/eur?id=eWUvLy91K0pVZ0krdjZ1TjJmUllUVUZoZDBubUkreTY1SCtnd3FoS2ZyV0JsZCtOL0hXK2hmQ2llTTJ4bWNGSG5MSDNpdGN4eDFQQmgyV3BZeXRvSDV3aGpLYXlTeHJBUHNwYWJJZ1c0NmFoeDJQVjkydnhmZUlOUGgyVHNRaEVrQ3VjSlNwQ1I5WlhkS3NBOC9nZ2w2REJGeUllNjVPTkJsWGR0bnU2WVlDU0g1bVpxSUFlSnE0dm9DV3h6TklUQ2tISVNNaW In document text (OOXML body / shared strings)
    • https://www.doctricant.com/eur?id=eWUvLy91K0pVZ0krdjZ1TjJmUllUVUZoZDBubUkreTY1SCtnd3FoS2ZyV0JsZCtOL0hXK2hmQ2llTTJ4bWNGSGOOXML external relationship
    • https://www.doctricant.com/eur?id=eWUvLy91K0pVZ0krdjZ1TjJmUllUVUZoZDBubUkreTY1SCtnd3FoS2ZyV0JsZCtOL0hXK2hmQ2llTTJ4bWNGSG5MSDNpdGN4eDFQQmgyV3BZeXRvSDV3aGpLYXlTeHJBUHNwYWJJZ1c0NmFoeDJQVjkydnhmZUlOUGgyVHOOXML external relationship
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://purl.org/dc/terms/In document text (OOXML body / shared strings)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocumentIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-propertiesIn document text (OOXML body / shared strings)