Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 46fcbc170e84d8ad…

MALICIOUS

Office (OOXML) / .DOC

129.2 KB Created: 2020-09-24 11:36:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 31d748392f447001ba275361fbe65695 SHA-1: b7031a67057cfe2178cd9cefc83f7fab5bf0c42c SHA-256: 46fcbc170e84d8ad48434251421bd8f6fa49a7e741d2c24d31c170c607c60d51
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML document contains heuristics indicating remote template injection and external relationship, both pointing to the same suspicious URL. This suggests the document is designed to fetch and execute content from this external source, likely as a downloader for further malicious activity. The specific content of the document body does not provide further clues, but the heuristics strongly indicate a malicious intent to load external resources.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://www.dronerc.it/shop_testbr/localization/dir_photoes/image.php?image=pfrlogo_srmg3489.png) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://www.dronerc.it/shop_testbr/localization/dir_photoes/image.php?image=pfrlogo_srmg3489.png
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.