MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
The file exhibits high-severity heuristics for remote template injection and external relationship, indicating an attempt to load external content. The ClamAV detection as 'Doc.Downloader.Loda' further supports its malicious nature. The primary IOC is the URL used for the remote template injection, which likely serves as a downloader for a secondary payload.
Heuristics 4
-
ClamAV: Doc.Downloader.Loda-7570590-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Loda-7570590-0
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (http://2.59.254.18/_errorpages/obizx.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
External relationship high OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: http://2.59.254.18/_errorpages/obizx.doc
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://2.59.254.18/_errorpages/obizx.doc
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
Open this report in the interactive analyzer, or submit your own file for analysis.