Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5618db2332db57e8…

MALICIOUS

Office (OOXML) / .DOC

99.0 KB Created: 2020-12-14 13:00:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2022-09-27
MD5: 3215d84eebf535adea7ed7d82bac7a22 SHA-1: b6737aeb0c27d65ca24d9f0483b628d0d286412a SHA-256: 5618db2332db57e8b55adb33a4d3d6956e0647dae398ff6e53ca7545ad20f152
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is an OOXML document that uses remote template injection and external relationships to fetch a file from a suspicious URL. The document body impersonates an official order from the National Police of Ukraine, likely to trick the user into downloading and executing the payload from the external URL.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://reins.allen5.buckso.ru/КОПМЛПК/faithfully/perfectly/priest/perfectly.prv) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://reins.allen5.buckso.ru/КОПМЛПК/faithfully/perfectly/priest/perfectly.prv
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://reins.allen5.buckso.ru/КОПМЛПК/faithfully/perfectly/priest/perfectly.prv
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.