Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 3e090a3f20ab44f4…

MALICIOUS

Office (OOXML) / .DOC

695.9 KB Created: 2023-06-11 02:09:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-10-04
MD5: 89e20b0ff04078de479f06383bfdb9e3 SHA-1: dba51261078dda20310bf2eecf95e039c189bfba SHA-256: 3e090a3f20ab44f4efec21a7896198035f9076a9badc8764e4a0bd2fe68c45f5
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1059 Command and Scripting Interpreter

The sample exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships. The presence of an embedded OLE object and an unknown URL suggests an attempt to download and execute a secondary payload. The primary malicious indicator is the external URL, which likely hosts the next stage of the attack.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://i8.ae/vfVxJ) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://i8.ae/vfVxJ
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://i8.ae/vfVxJ
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8de65209996ea314f9fc64528f5b11f3c10a147a241723ae67eac0b5522a3cd3		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 316416 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.75, consistent with packed or encrypted content.
ooxml_oleobject_01.bin
1def977f91a9c6b0be2a9b013d5d882a88020c8ea471d3785ac16638ee094982		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 5632 bytes
emf_00.emf
6abca8334cf34a16da88511242da6a55708966a9fe88cfd3b373d781c45c585f		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.