Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 28a631cb99069290…

MALICIOUS

Office (OOXML) / .DOC

10.1 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2022-08-24
MD5: e3009e0b535eec09f032219097903ec9 SHA-1: c4905d8ec96fdff644543a839ecfa193bed5a611 SHA-256: 28a631cb990692904f94593daaea159510ec0166ee01a7f72d1a99f3090fe295
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristics for remote template injection and external relationships indicate that this OOXML document is designed to download and execute a secondary payload. The embedded URLs, though not directly resolving to known malicious sites, are highly suspicious and likely serve as the source for the malware. The document body contains only placeholder text, offering no further clues to the lure.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://1806549122/..--------..---------..----_---_---------____-_-_-_-------..-/h......--------------....------------_------.------D-dD----.) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://1806549122/..--------..---------..----_---_---------____-_-_-_-------..-/h......--------------....------------_--
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://1806549122/..--------..---------..----_---_---------____-_-_-_-------..-/h......--------------....------------_------.------D-dD----
    • http://1806549122/..--------..---------..----_---_---------____-_-_-_-------..-/h......--------------....------------_------.------D-dD----.doc
    • http://1806549122/..--------..---------..----_---_---------____-_-_-_-------..-/h......--------------....------------_--
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.