Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 1e84dc87bb9e8c4a…

MALICIOUS

Office (OOXML) / .DOC

1.15 MB Created: 2025-11-24 17:54:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 79e7bf96194ce5c0287a104766c7aed3 SHA-1: b1a6e28dbb21abeac54a024a611a4d53e3ce5db2 SHA-256: 1e84dc87bb9e8c4a34bb277aee742b515d00326ea0e85751d3e0798c0ade753c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample utilizes OOXML remote template injection and an embedded OLE object to likely download and execute a secondary payload. The heuristic firings strongly indicate a malicious intent to fetch content from the external URL. The embedded OLE object further supports the delivery of malicious code.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://\\\\\\\\\@masuk.to/miyu24?&\\\\\\\\\\) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL https://\\\\\\\\\@masuk.to/miyu24?&\\\\\\\\\\
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://\\\\\\\\\@masuk.to/miyu24?&\\\\\\\\\\
    URL https://\\\\\\\\\@masuk.to/miyu24?&\\\\\\\\\\
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
115b4037072232ef3277b8726bb2851a6ccfcf50786c8f2048f616a7ecb42615		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 4393472 bytes
ooxml_oleobject_00_ole10native_00.bin
31a02c22df8cbacdb86107c9b563537ab9db3e646f627a13ba3ac237232e52d5		 ole-package OOXML word/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 4356068 bytes
ooxml_oleobject_01.bin
ae2a53e5fb8fdfd4da733c1919b952d87da43ed71bb111a5e2ceae9e11823df5		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1075712 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.78, consistent with packed or encrypted content.
emf_00.emf
9f76ea04bc228bcb626c149dfe51c2602d9ba95ad105ccfa140ce51f356b15ed		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.