Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 5f5f7f369c6cffd3…

MALICIOUS

Office (OOXML) / .DOC

319.5 KB Created: 2023-08-06 18:37:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-10-10
MD5: d58a8090cde05e0ce1ad53ff95f785be SHA-1: 70adf53b458d3192a39c07929f790412f746522c SHA-256: 5f5f7f369c6cffd35557784e7e07404e2ff76414e84b7f7afe6f7e13fd491289
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The sample exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships. The presence of an embedded OLE object further suggests malicious intent. The primary IOC is the external URL, which is likely used to fetch and execute a secondary payload, indicating a downloader or dropper attack pattern.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://i8.ae/gseDm) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://i8.ae/gseDm
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://i8.ae/gseDm
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e555443307900d609e95063996cbdf335a9f74dc27a18147c45cb5f738454963		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1594368 bytes
emf_00.emf
12c8d665ee69f88da2109ad63983811816b7323f11a231c00f46420a01c7c85f		 ooxml-emf OOXML EMF part: word/media/image1.emf 1504016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.