Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 32da33d03270d3e4…

MALICIOUS

Office (OOXML) / .DOC

15.5 KB Created: 2021-01-22 12:00:00 UTC Authoring application: Microsoft Office Word 14.0000
MD5: 3df18ecd55f8e267be39f6f757bcd5f0 SHA-1: d8fb3dcce1acd9d5c0bd69c40720d64b7f877ec1 SHA-256: 32da33d03270d3e434898d06ce4eb21dfd78a8fda4eae22c55c7a31cdf85ce68
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The sample is an OOXML document that uses remote template injection and external relationships to point to a malicious URL. This indicates an attempt to trick the user into downloading a secondary malicious document from the specified URL, likely for further exploitation.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://memoadvicr.com/kodec/report.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL http://memoadvicr.com/kodec/report.doc
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://memoadvicr.com/kodec/report.doc
    URL http://memoadvicr.com/kodec/report.doc

Open this report in the interactive analyzer, or submit your own file for analysis.