Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 137c032094a452e3…

MALICIOUS

Office (OOXML) / .DOC

155.2 KB Created: 2025-10-03 05:27:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 5e5026e191451fa2944158a6222bf3d9 SHA-1: 411d5d475799e9ac92747ccf45c8cbccfc71653c SHA-256: 137c032094a452e3d861ecbfa6c439eb8debf672f18238e6b440a6969e7d07f1
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample exhibits high-confidence indicators of remote template injection and external relationship exploitation, suggesting it is designed to download and execute a secondary payload from a remote source. The presence of an embedded OLE object further supports the likelihood of malicious code execution. The primary IOC is the suspicious URL associated with the remote template injection.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://.............................................#ddddddddddd#--------------_-------vessel=subdued&salt=impossible&comb=nosy&redesign@li) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://.............................................#ddddddddddd#--------------_-------vessel=subdued&salt=impossible&c
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://.............................................#ddddddddddd#--------------_-------vessel=subdued&salt=impossible&comb=nosy&redesign@li
    • https://.............................................#ddddddddddd#--------------_-------vessel=subdued&salt=impossible&comb=nosy&redesign@link.takusuki.com/dkjlX6?&cop-out=hissing&fang=furtive&bathtub
    • https://.............................................#ddddddddddd#--------------_-------vessel=subdued&salt=impossible&c
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7d0c8219c8d79bfc8266cb19f83f1d921b672ddd18ee470294ab8d85a03835d5		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 462848 bytes
emf_00.emf
f63b4d8f68f350f79d48cd14d411bcbbe403c081cd5a7140bc8db57aa0d080ed		 ooxml-emf OOXML EMF part: word/media/image1.emf 146124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.