Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 166edb0c90cd2ebc…

MALICIOUS

Office (OOXML) / .DOC

19.9 KB Created: 2020-02-25 05:41:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 633f383166c6f7a0741bd9eac9350551 SHA-1: aec67f023eb4080396b4ff94e6a6e3f0dd3fe098 SHA-256: 166edb0c90cd2ebc06b89fa048ce8e2061c0043331f1f3c390121881e7d0aefb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a malicious OOXML document that uses remote template injection to pull content from an external URL. This technique is often used to download and execute further stages of malware. The document body itself is a seemingly legitimate job application, which is a common lure for social engineering attacks.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://palodus.myftp.biz/network/guardian/relate/grudge/rrdJqe.dot) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://palodus.myftp.biz/network/guardian/relate/grudge/rrdJqe.dot
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://palodus.myftp.biz/network/guardian/relate/grudge/rrdJqe.dot

Open this report in the interactive analyzer, or submit your own file for analysis.