Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 3a0cb7a9d6102898…

MALICIOUS

Office (OOXML) / .DOC

79.9 KB Created: 2023-05-24 00:47:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-05-25
MD5: 4a92b44cabe5ef9d5dc989a90ee05998 SHA-1: 849259455239e9c2fd42d791dbf991699c97cab7 SHA-256: 3a0cb7a9d6102898e2e773ec99805b0aaa3c4e3982576655a37433475ce5dc9e
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample exhibits characteristics of a malicious OOXML document, specifically remote template injection and the presence of an embedded OLE object. These elements strongly suggest an attempt to download and execute a secondary payload from the identified unknown URL. The combination of these heuristics indicates a high likelihood of a malicious document designed for initial payload delivery.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://###########################################WXIIIIIIIIIIIIIIIIIIIIIWXWW7W8E7E8WEE7E733333333WSSDSDFF4477447474747SWSDDDDWSDLLLLLLLLLL) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://###########################################WXIIIIIIIIIIIIIIIIIIIIIWXWW7W8E7E8WEE7E733333333WSSDSDFF4477447474747
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://###########################################WXIIIIIIIIIIIIIIIIIIIIIWXWW7W8E7E8WEE7E733333333WSSDSDFF4477447474747SWSDDDDWSDLLLLLLLLLL
    • https://###########################################WXIIIIIIIIIIIIIIIIIIIIIWXWW7W8E7E8WEE7E733333333WSSDSDFF4477447474747SWSDDDDWSDLLLLLLLLLLSSDDFFFG@s.id/1JNvl
    • https://###########################################WXIIIIIIIIIIIIIIIIIIIIIWXWW7W8E7E8WEE7E733333333WSSDSDFF4477447474747
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dac8f984e4e9dd647e36cb0f568bab0aa9187d55efe78bd82e2f007058c5507f		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Macro-Enabled_Worksheet4.xlsm 11677 bytes
ooxml_oleobject_01.bin
06569b42119b471f04070b4f9585a263d32198d995692e9fdded813a2a5bdf9c		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Macro-Enabled_Worksheet1.xlsm 11689 bytes
emf_00.emf
1ab8f5abd845ffd0c61a61bb09bfcf20569b80b4496bccb58c623753cf40485c		 ooxml-emf OOXML EMF part: word/media/image1.emf 4056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.