Office (OOXML) / .DOC malware analysis — malicious · 17cc77dc779d4556

MALICIOUS

Office (OOXML) / .DOC

35.3 KB Created: 2023-07-19 01:22:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-07-26

MD5: 1882861692ac02f14f37709ffabccfb4 SHA-1: 89ee2733e76117003ccbebe4d67a5665e93889d6 SHA-256: 17cc77dc779d4556755a6ca45a26565eb7c3efbeff7d973b9aeb9d167ebfe27f

62 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that the document is configured to load external content from the URL https://emojied.net/🙃😴🙏😩🙆😻. This is a common technique for downloading and executing a second-stage payload, suggesting a malicious intent to compromise the user's system.

Heuristics 3

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://emojied.net/🙃😴🙏😩🙆😻) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: https://emojied.net/🙃😴🙏😩🙆😻
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://emojied.net/🙃😴🙏😩🙆😻
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.