Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 61f8e4e5644fe73f…

MALICIOUS

Office (OOXML) / .DOC

84.9 KB Created: 2024-08-07 00:30:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 4d1dda7b62796f1d78efc8081aed6e6a SHA-1: 82bcec87e818bd0e56144c07c488bd063b27faad SHA-256: 61f8e4e5644fe73fca16ac2bd69b9c4235510dbce70d1d7faf102134f869a2aa
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OOXML document exhibits characteristics of malicious intent, specifically remote template injection and external relationships pointing to the URL https://urlty.co/gZTJU. The presence of embedded OLE objects further suggests the potential for executing embedded code. These indicators collectively point towards an attack pattern designed to download and execute a secondary payload, likely via a spearphishing attachment.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://urlty.co/gZTJU) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://urlty.co/gZTJU
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://urlty.co/gZTJU
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4ff8376535ed446f18860c6a343cf71832a0b0a6708786cf6156f4a3c3b2eb0f		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 34554 bytes
ooxml_oleobject_01.bin
3570a97115dce6186711f1a9030503a8916109445e477f0fa51c26bd77a638f1		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx 26947 bytes
emf_00.emf
6f6e805c9473d6b4c0aec3b082cbc7e782b6c56a4d0048ef5902bb3ed8a8965c		 ooxml-emf OOXML EMF part: word/media/image2.emf 80632 bytes
emf_01.emf
68fad6de3072d05d096326588a2d933eacdfa3bbd8369f48c73d8021ca3edee2		 ooxml-emf OOXML EMF part: word/media/image1.emf 39300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.