Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 471fb821655bfbe3…

MALICIOUS

Office (OOXML) / .DOC

89.6 KB Created: 2024-08-07 00:30:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: eb42c45709249e55655ee0903c331255 SHA-1: a82a7ce68f122cc200a80d560fc22547e3b05ca0 SHA-256: 471fb821655bfbe33bec87b81559c214e65643a14e0a3e52208a6498f96234ed
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559 Component Object Model Hijacking

The OOXML document exhibits characteristics of malicious intent through the use of remote template injection and external relationships, both pointing to the URL https://urlty.co/AvFaa. This suggests the document is designed to pull and execute content from an external source, likely to deliver a secondary payload. The presence of embedded EMF files further supports the possibility of malicious content delivery.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://urlty.co/AvFaa) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://urlty.co/AvFaa
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
6f6e805c9473d6b4c0aec3b082cbc7e782b6c56a4d0048ef5902bb3ed8a8965c		 ooxml-emf OOXML EMF part: word/media/image2.emf 80632 bytes
emf_01.emf
d22a55c5346f3d0b5a418819e6239940212efb6ade6c5e0fd969907b8158c894		 ooxml-emf OOXML EMF part: word/media/image1.emf 39300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.