Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 3076f19e5850a8ee…

MALICIOUS

Office (OOXML) / .DOC

146.6 KB Created: 2025-08-13 04:38:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 2dcd62f287b18abbe027732a0d837f09 SHA-1: 4c5e22c4bee7041a587fb68390f6659c85173488 SHA-256: 3076f19e5850a8eedc89526c8612ca996c742db09a9672528d9838f6d41fe3bf
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that the document is configured to load external content from a suspicious URL. This external content is likely a malicious template designed to exploit vulnerabilities or deliver a secondary payload. The presence of this remote template injection is the primary indicator of malicious intent.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://veryniccepoeplesentierplacewhowantbest________#nicekissingexperience.gIfFFF=@shorten.website/dwIMfl) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://veryniccepoeplesentierplacewhowantbest________#nicekissingexperience.gIfFFF=@shorten.website/dwIMfl
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
f11eba712e1969125328c0cfebed2f136fce84ee72201641cb0462bf30b85cfd		 ooxml-emf OOXML EMF part: word/media/image1.emf 27400 bytes
emf_01.emf
b17fdb32d0f34bb02e539b6798cca086fa12adee3c2dd397df5226eccbd02534		 ooxml-emf OOXML EMF part: word/media/image2.emf 90400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.