Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 3aedbd6383755a4b…

MALICIOUS

Office (OOXML) / .DOC

243.3 KB Created: 2025-08-27 01:00:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 24c8aac04ab5a223da6fe890e07abb91 SHA-1: 48b26143a4fe152f95dad553e5a00c4c8299f970 SHA-256: 3aedbd6383755a4bc090e9ed1d2a093381cba46930aeb5b6cd2f55f75dea7ca7
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The OOXML document exhibits characteristics of malicious intent, specifically remote template injection and the presence of an embedded OLE object. The URL 'https://yamantap.me/lAvJvh' is associated with these suspicious findings, indicating a likely attempt to download and execute a secondary payload. The embedded OLE object further supports the hypothesis of a multi-stage attack.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://yamantap.me/lAvJvh) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://yamantap.me/lAvJvh
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibi

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
443c003f584b117f7fbb7b32097b50036937198f150ef5c3023da7c443ba72cd		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 150016 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
emf_00.emf
747fa56f143cdbe605a1db26a81d002a04648f6a7a5fd95363c36d2c6f9b538e		 ooxml-emf OOXML EMF part: word/media/image1.emf 1504016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.