Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5cd81df912442709…

MALICIOUS

Office (OOXML) / .DOC

575.2 KB Created: 2025-08-17 16:26:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 6b8c0c53aa7f88b898aea247a3b1abb9 SHA-1: 661c595fb2cf4b800a3eb1f852bddfe1564b21d4 SHA-256: 5cd81df91244270908a29f37272fd11240d797ddfbf9df9a6855936e41af909e
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file exhibits characteristics of a malicious OOXML document, including remote template injection and embedded OLE objects. The presence of a suspicious URL suggests an attempt to download a secondary payload. The embedded OLE objects, particularly 'ooxml_oleobject_03.bin', are likely components of the exploit or payload delivery mechanism.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://seethebestfeelingswithbetterchoicefor_____greatniceserviceskillforme.gIfFf=@shorten.website/3HqLXD?&icicle) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://seethebestfeelingswithbetterchoicefor_____greatniceserviceskillforme.gIfFf=@shorten.website/3HqLXD?&icicle
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seethebestfeelingswithbetterchoicefor_____greatniceserviceskillforme.gIfFf=@shorten.website/3HqLXD?&icicle
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
93479444a6f5ac4a53f2bbe9b6fc84907e60d6232ba9b0ea5088ac233d496e69		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1611264 bytes
ooxml_oleobject_01.bin
da5727ed1a83b33d87aa9154ba94a36e478150e81bdb732aeef3ce4f209f0cc2		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_PowerPoint_Presentation1.pptx 203852 bytes
ooxml_oleobject_02.bin
20d9fa599acde8c4b53273a1b275c21817cdea5b008de5c404ab0dee00c124fc		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_PowerPoint_Presentation1.pptx!ppt/embeddings/oleObject1.bin 340480 bytes
ooxml_oleobject_02_ole10native_00.bin
aebfa3cc9cffd1af88424a4828f90c2a91932c7006bd1640e9ae65f18d99a7e2		 ole-package OOXML word/embeddings/Microsoft_Office_PowerPoint_Presentation1.pptx!ppt/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 167172 bytes
ooxml_oleobject_03.bin
9fd49e7ec6378d2b5b85e77bc95f3a29fce3c850b70ae0fd5fe98e7ed6137bd9		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_PowerPoint_Presentation1.pptx!ppt/embeddings/oleObject2.bin 55296 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.
emf_00.emf
01a727bc59f1df2fca96faa3ee6e5d4adaba38cda75f63027a6b6a5268cf631a		 ooxml-emf OOXML EMF part: word/media/image2.emf 1504016 bytes
emf_01.emf
6f640b632baf479c5eba19b994e17e0a22d011cf1b4eec9f2ff5f7bd28766f04		 ooxml-emf OOXML EMF part: word/media/image1.emf 1117396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.