Malicious Office (OOXML) / .DOC — malware analysis report

Heuristics 4

• Remote template injection high OOXML_REMOTE_TEMPLATE
  Document references a remote template URL (http://prick.falcon62.freebsdo.ru/DESKTOP-6NRN62F/glimpse/council/glimpse/nay.p3l) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
• External relationship medium OOXML_EXTERNAL_REL
  External target in word/_rels/settings.xml.rels: http://prick.falcon62.freebsdo.ru/DESKTOP-6NRN62F/glimpse/council/glimpse/nay.p3l
• External hyperlinks (37) low OOXML_EXTERNAL_HYPERLINKS
  Document contains 37 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.facebook.com/Sharij.Luhansk
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://lysychansk.com

  • https://cxid.info
  • https://www.0642.ua/news
  • https://www.ostro.org/lugansk/news/
  • https://tribun.com.ua/developments/
  • https://www.06452.com.ua
  • http://prick.falcon62.freebsdo.ru/DESKTOP-6NRN62F/glimpse/council/glimpse/nay.p3l
  • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
  • http://schemas.openxmlformats.org/markup-compatibility/2006
  • http://schemas.openxmlformats.org/officeDocument/2006/relationships
  • http://schemas.openxmlformats.org/officeDocument/2006/math
  • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
  • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
  • http://schemas.openxmlformats.org/wordprocessingml/2006/main
  • http://schemas.microsoft.com/office/word/2010/wordml
  • http://schemas.microsoft.com/office/word/2012/wordml
  • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
  • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
  • http://schemas.microsoft.com/office/word/2006/wordml
  • http://schemas.microsoft.com/office/word/2010/wordprocessingShape
  • https://www.facebook.com/group
  • https://www.facebook.com/groups/lischimstroy/?multi_permalinks=1212362959293347
  • https://www.facebook.com/donbasonline/
  • https://www.facebook.com/Sharij.Luhansk
  • https://www.facebook.com/groups/166290134221864/
  • https://www.facebook.com/groups/Severodonetsk.Operativnyiy/
  • https://www.facebook.com/groups/objavleniyaslrk/
  • https://www.facebook.com/groups/lhs1934/
  • https://www.facebook.com/groups/802884506555931/
  • https://www.facebook.com/groups/pozitivsever/
  • https://www.facebook.com/groups/220932901713957/
  • https://www.facebook.com/groups/426205779040190/
  • https://www.facebook.com/groups/2107532592799244/
  • https://www.facebook.com/groups/609099296559799/
  • https://www.facebook.com/groups/266850500453738/
  • https://www.facebook.com/groups/767991163628059/
  • https://www.facebook.com/groups/2848275265197142/
  • https://www.facebook.com/groups/685653068281902/
  • https://www.facebook.com/groups/270957467123023/
  • https://www.facebook.com/groups/r13lg/
  • https://www.facebook.com/groups/1134169546688639/
  • https://www.instagram.com/lhs1934_severodonetsk/
  • https://www.instagram.com/severodonetsk.times/
  • https://www.instagram.com/lisichansk_info_/
  • https://www.instagram.com/severodonetsk.day/
  • https://www.instagram.com/moi_gorod_rubezhnoe/
  • https://www.instagram.com/starobelsk.online/
  • https://www.instagram.com/starobelsk_1686/
  • https://www.instagram.com/starobelsk.live/
  • https://www.ukr.net/news/luhansk.html

Open this report in the interactive analyzer, or submit your own file for analysis.