Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 457f807839420c14…

MALICIOUS

Office (OOXML)

10.1 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-09-15
MD5: 7e527333d4ad7f40ac5c75e58b86ae01 SHA-1: 3b78e8ed59a6486ac7a418dce979bc244c747fa2 SHA-256: 457f807839420c14c044df01a7d8b5555429bb168007d28b4738266762fe9109
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is an OOXML document exhibiting remote template injection and external relationship heuristics, indicating it attempts to fetch content from an external source. The ClamAV detection as 'Doc.Downloader.Redline-9972754-0' strongly suggests a downloader functionality. The primary IOC is the external URL https://ggle.io/4FWF, which is likely used to retrieve and execute a secondary payload.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://ggle.io/4FWF) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: https://ggle.io/4FWF
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ggle.io/4FWF Remote template reference
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)