Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 36121afec9959963…

MALICIOUS

Office (OOXML) / .DOC

35.0 KB Created: 2024-10-29 11:50:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 78be86ebe4907d4195a9f9b7b09d9454 SHA-1: 1136319ab7cb1b7b50ea3c93a8fd25c402c7f971 SHA-256: 36121afec9959963b1c1d30dcb13b9031e445cebac5a62b353297c94bb3c2f75
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships pointing to the URL 'https://provit.uk/Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture'. Additionally, an embedded OLE object was detected, which likely serves as the mechanism to execute the payload from the remote template. The combination of these findings strongly suggests an attempt to download and run a secondary malicious file.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://provit.uk/Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://provit.uk/Ib9yLe?&shoelace=strong&skyscraper=discreet&roll=thoughtful&mimosa=wacky&vulture
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
567b2bf75ed15467b0692c2128d817e3129606bc018ed82f647dc7e4f2e21a12		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 29696 bytes
ooxml_oleobject_00_ole10native_00.bin
bdf966db1cc87fea5dc0c7408b7d9a750bac7995b62c8f4514feb7ad6e8c069e		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 26683 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.59, consistent with packed or encrypted content.
emf_00.emf
48f87b835adfa658eadf4c6d9321b08308b0b9f8292e7013cd0751a8f52e1eab		 ooxml-emf OOXML EMF part: word/media/image1.emf 7428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.