Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 0b6e3f24afd42a86…

MALICIOUS

Office (OOXML) / .DOC

89.6 KB Created: 2024-08-07 00:30:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: b72c35a34b4a1d1c1b6da58930d14c13 SHA-1: fecb05eb9275558c73148dab2efd1a877231f7af SHA-256: 0b6e3f24afd42a862cb83f5502ca732e59091703cb33723b38fce66cfc18fc7a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample exhibits characteristics of a malicious OOXML document, specifically remote template injection and external relationship indicators pointing to 'https://urlty.co/VJXxz'. The presence of embedded OLE objects suggests the document is designed to deliver and execute additional malicious content. While no scripts were directly extracted, the heuristics strongly indicate an attempt to exploit vulnerabilities for client execution, likely initiated via spearphishing.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://urlty.co/VJXxz) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://urlty.co/VJXxz
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://urlty.co/VJXxz
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
81ea3c0464e63dd0d65a9b08329d2f508abb559fc8a8dad68b40aded3988cadb		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 40531 bytes
ooxml_oleobject_01.bin
3570a97115dce6186711f1a9030503a8916109445e477f0fa51c26bd77a638f1		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx 26947 bytes
emf_00.emf
6f6e805c9473d6b4c0aec3b082cbc7e782b6c56a4d0048ef5902bb3ed8a8965c		 ooxml-emf OOXML EMF part: word/media/image2.emf 80632 bytes
emf_01.emf
dac9a2d5e3e466ce9b5d6f78a7448a58b3bef2a3b58c24287015cd74521bbd74		 ooxml-emf OOXML EMF part: word/media/image1.emf 39300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.