Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 33f67d1681ba87b8…

MALICIOUS

Office (OOXML)

11.5 KB Created: 2018-09-18 11:48:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-04-18
MD5: 13dadbc637efd43d91a5f36a043607b8 SHA-1: b67c3e7d752b64dcd7ad5cefac292e5b95043dc6 SHA-256: 33f67d1681ba87b8c6e22505fd66c6afcaa52db0ebd54335273ec57285a64cf6
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample utilizes external relationships to a free TLD, indicating an attempt to inject remote content. ClamAV detection as 'Doc.Downloader.Redline' further supports its malicious nature. The primary IOC is the URL used for remote template injection, which likely serves as a download source for a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • OOXML external relationship targets a free/throwaway TLD high OOXML_EXTERNAL_REL_FREE_TLD
    Document has an external relationship whose target host is on a free, no-registration TLD (Freenom .ml/.ga/.cf/.gq/.tk). Legitimate business documents do not link out to a Freenom throwaway domain; these are a near-zero-FP phishing / BEC delivery tell (e.g. an RFQ/invoice lure pointing at 'shareddocuments.ml/RFQ'). The relationship may be a hyperlink, a remote template, or an external OLE object.
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://tunjihost.ga/doc/sologee.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://tunjihost.ga/doc/sologee.doc
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tunjihost.ga/doc/sologee.doc OOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.