Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 36750e2292303a98…

MALICIOUS

Office (OOXML)

132.7 KB Created: 2018-08-22 10:24:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2019-06-27
MD5: 27425360d18feea54860420006ea9833 SHA-1: ec34a6b8943c110687ef6f39a838e68d42d24863 SHA-256: 36750e2292303a98082806330fbe3771942673e9ff78cfdeb77bccdb165ccd30
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The OOXML document contains a heuristic firing for remote template injection, pointing to a suspicious URL. This indicates the document is likely attempting to load external content, a common technique for delivering malicious payloads or phishing lures. The presence of external relationship indicators further supports this, suggesting the document is configured to interact with external resources. The primary IOC is the URL used for remote template injection.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://outlook.officebetas.com/templates/vni-times.png) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://outlook.officebetas.com/templates/vni-times.png
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://outlook.officebetas.com/templates/vni-times.png Remote template reference
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.