Office (OOXML) / .DOC malware analysis — malicious · 1b0dbeaad0cf9c60

MALICIOUS

Office (OOXML) / .DOC

321.5 KB Created: 2025-10-23 11:58:00 UTC Authoring application: Microsoft Office Word 12.0000

MD5: b2859a7f525670d85b2f41644ba25a11 SHA-1: 510ea808afea2f98a1270390eefbd066880f89f2 SHA-256: 1b0dbeaad0cf9c607cc2985571b26be3b74aa78b3367116b85ebf8c6c839a703

60 Risk Score

Heuristics 3

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://.............90909090909009090909090090909009009090900090090099090090909?&@lkbx.in/aXvHHe?&carload) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: https://.............90909090909009090909090090909009009090900090090099090090909?&@lkbx.in/aXvHHe?&carload
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`emf_00.emf` `927c12c9c613dda0936995dd30506b8d52b1ff78cba4031da6302d520ea61de9`	ooxml-emf	OOXML EMF part: word/media/image1.emf	3128832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.