Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 3420e459838b7128…

MALICIOUS

Office (OOXML) / .DOC

11.5 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 713f6c28d2e3de2b8f88c7ed998e9765 SHA-1: 0ab897f5b744a3cc6de211ec3f3a53947d3efb78 SHA-256: 3420e459838b71286a749b94e29d7207b141f89c5519cded88fbe270b18c34f4
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a downloader, specifically triggering heuristics for remote template injection and external relationships pointing to a suspicious URL. ClamAV identifies it as Doc.Downloader.Redline, suggesting its purpose is to fetch and execute additional malicious content. The embedded URL is the primary indicator of the secondary payload's origin.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://fsdfjkhiuwehxcyvuiyiuwefocshsduihfnabhsghfghewfjpiouyiyuixcvxuv.ydns.eu/reg/document.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://fsdfjkhiuwehxcyvuiyiuwefocshsduihfnabhsghfghewfjpiouyiyuixcvxuv.ydns.eu/reg/document.doc
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
    • http://fsdfjkhiuwehxcyvuiyiuwefocshsduihfnabhsghfghewfjpiouyiyuixcvxuv.ydns.eu/reg/document.doc

Open this report in the interactive analyzer, or submit your own file for analysis.