Office (OOXML) / .DOC malware analysis — malicious · 1a71a8bc099c9ab4

MALICIOUS

Office (OOXML) / .DOC

321.5 KB Created: 2025-10-23 11:58:00 UTC Authoring application: Microsoft Office Word 12.0000

MD5: 083611a154aa1fee6388ccf2651dc973 SHA-1: 515aba2bb7a212b81e68ace2dc0fa94e86f89d3f SHA-256: 1a71a8bc099c9ab4d4c65431aa2190690ee0be76536c430e1acaf79254b4a455

60 Risk Score

Heuristics 3

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://.............90909090909009090909090090909009009090900090090099090090909?&@lkbx.in/TZAs32?&bandolier) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: https://.............90909090909009090909090090909009009090900090090099090090909?&@lkbx.in/TZAs32?&bandolier
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf` `927c12c9c613dda0936995dd30506b8d52b1ff78cba4031da6302d520ea61de9`	ooxml-emf	OOXML EMF part: word/media/image1.emf	3128832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.