Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 32497eb25ff56d65…

MALICIOUS

Office (OOXML) / .DOC

103.9 KB Created: 2025-11-05 12:49:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: d473e58739402df3b275bc41bda6cfb5 SHA-1: 7602b0b61aad9ac3faabc33a11e49f3820a5efc1 SHA-256: 32497eb25ff56d65b8d629b2c54ff78cec91c896e5d187eb3951718226c96de3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that the document is configured to fetch external content from the URL https://lemon-kutt.lemon.cchan.tv/IB8AeA. This is a common technique for downloading and executing additional malicious code or documents. The presence of an embedded OLE object further suggests an attempt to deliver a malicious payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://lemon-kutt.lemon.cchan.tv/IB8AeA) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://lemon-kutt.lemon.cchan.tv/IB8AeA
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlforma
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
df9554eb30b77a59353ff46ac3bc8438f5a7f562ae5e7a08f7be75c2da3a1020		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 250368 bytes
emf_00.emf
93c621ee3f4aee737dff99c483ed23f7f7a8fbe22ea816c5992e2f763922d1af		 ooxml-emf OOXML EMF part: word/media/image1.emf 40616 bytes
emf_01.emf
87ae4f1459c90022c38e204926debf1dc0a76f12fd49f515239c5e3f3dd2c7a5		 ooxml-emf OOXML EMF part: word/media/image2.emf 66984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.