Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 10f7d98a3aad55a9…

MALICIOUS

Office (OOXML) / .DOC

107.2 KB Created: 2025-08-07 03:30:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: e32ef5dea1eae8e52d8995d674bce2ba SHA-1: 4bc0c5fa176d751185b629a4852f09d2b1111741 SHA-256: 10f7d98a3aad55a9163fa510628166a70e07e9a32cf4448f4a3cb13cf1bff2f7
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample exhibits high-confidence indicators of remote template injection and external relationship exploitation, suggesting an attempt to download and execute a secondary payload from a remote URL. The presence of embedded OLE objects further supports the likelihood of malicious content being embedded within the document. The primary IOC is the suspicious URL identified by multiple heuristics.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://besthumndgodddbacksgivbnbestfeelherlif______ennvsecetrvrillafodorme.JpEg=@link.sowl.to/7SygCs) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://besthumndgodddbacksgivbnbestfeelherlif______ennvsecetrvrillafodorme.JpEg=@link.sowl.to/7SygCs
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://besthumndgodddbacksgivbnbestfeelherlif______ennvsecetrvrillafodorme.JpEg=@link.sowl.to/7SygCs
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
aa3821d96443c73707b18c623773d9d74191ca1408492cc1f512c91474aa7f29		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Word_97_-_2003_Document111.doc 51712 bytes
ooxml_oleobject_01.bin
e357ea339fccde880cbe15eac3ce79468934e861fa0a467e34330109705288db		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_PowerPoint_97-2003_Presentation2.ppt 43008 bytes
ooxml_oleobject_02.bin
87bbc2aa7b61e02fb4cb2fab4bece2a0b048ed0d57279aa2e15cd01c255a9c01		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 40709 bytes
emf_00.emf
6cba0563199eaa5ec0632675e9351979592e6708392d53b04a27ce2997b91ff7		 ooxml-emf OOXML EMF part: word/media/image2.emf 2516 bytes
emf_01.emf
7ece1bf3b9c35c349bef7384f87a305aa456310ac7b4ae60c0e8dae3121f9571		 ooxml-emf OOXML EMF part: word/media/image1.emf 1088 bytes
emf_02.emf
526dd1c89a22dffe54b8d79277bb66fff4c40c8eaffebe748f7c74b573b9014e		 ooxml-emf OOXML EMF part: word/media/image3.emf 68332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.