Unix.Downloader.Rocke — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 0a7507a7b8eabf6d…

MALICIOUS

Office (OOXML) / .DOC

11.1 KB First seen: 2025-09-23
MD5: c1d55fb2985e0a0e646ec1040e59ace9 SHA-1: d2009a5f325e8d8a2ff5e8af72905d497e1ec016 SHA-256: 0a7507a7b8eabf6d89e19b5638e38b8d1155038a03f6dc5a9c4d1b304ae9aafb
102 Risk Score

Malware Insights

Unix.Downloader.Rocke · confidence 95%

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The file is identified as Unix.Downloader.Rocke by ClamAV. Static analysis revealed shell commands within the document body that aim to disable security features and remove traces. Specifically, it attempts to disable the firewall, clear iptables, and delete user accounts, indicating a destructive or evasive payload.

Heuristics 3

  • ClamAV: Unix.Downloader.Rocke-6826000-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Downloader.Rocke-6826000-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/schemaLibrary/2006/main
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/drawingml/2006/picture
    • http://schemas.openxmlformats.org/drawingml/2006/chart
    • http://schemas.openxmlformats.org/drawingml/2006/lockedCanvas
    • http://schemas.openxmlformats.org/drawingml/2006/diagram
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml
    • http://schemas.microsoft.com/office/word/2018/wordml/cex
    • http://schemas.microsoft.com/office/word/2016/wordml/cid
    • http://schemas.microsoft.com/office/tasks/2019/documenttasks
    • http://schemas.microsoft.com/office/comments/2020/reactions
    • http://update.aegis.aliyun.com/download/uninstall.sh
    • http://update.aegis.aliyun.com/download/quartz_uninstall.sh

Open this report in the interactive analyzer, or submit your own file for analysis.