Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0b13c6308b08835c…

MALICIOUS

Office (OOXML)

32.7 KB Created: 2016-10-17 17:27:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: c6169b5d6ce7c2b5f2143389c3a946d6 SHA-1: d4be8d64c8bf82bbca3843f6bf35c1245e248a9b SHA-256: 0b13c6308b08835cbcdd587f9a500894a45f851e18be6cdb96245b3880d668ec
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file exhibits high-confidence heuristics for remote template injection and external relationships, indicating an attempt to load external content. The presence of an external hyperlink further supports this. The document body appears to be legitimate regulatory text, suggesting the malicious components are hidden or triggered by user interaction, likely involving the remote template.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://fcahome/readingrm/handbook/FCA Regulation/Forms/template.dotx) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://fcahome/readingrm/handbook/FCA Regulation/Forms/template.dotx
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://ww3.fca.gov/readingrm/fedreg/Federal Register Documents/81 FR 49139.docx
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ww3.fca.gov/readingrm/fedreg/Federal
    • http://fcahome/readingrm/handbook/FCA
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.