Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 449b4cee4b9df097…

MALICIOUS

Office (OOXML) / .DOCX

3.12 MB Created: 2022-09-09 04:22:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 9d3993fedf4ce4d25a8e7bf2a3a7d903 SHA-1: ec8b9d3057df87564ebe15c75523c995dfa3e453 SHA-256: 449b4cee4b9df09777891a70248e000e3bb13f33d579603f69e444d4d175d022
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File

The OOXML file contains heuristics indicating remote template injection and external relationships pointing to 'https://en-us-office.herokuapp.com/updates'. This suggests the document is designed to lure the user into downloading and executing a malicious payload from the specified URL.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://en-us-office.herokuapp.com/updates) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL https://en-us-office.herokuapp.com/updates
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://en-us-office.herokuapp.com/updates
    URL https://en-us-office.herokuapp.com/updates

Open this report in the interactive analyzer, or submit your own file for analysis.