Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 66fe51d708910059…

MALICIOUS

Office (OOXML) / .DOC

456.9 KB Created: 2024-10-24 07:27:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 8ae0873976db80ed87c45fb1c3bae104 SHA-1: cff11d56befef537b793e835e9a2861b54322641 SHA-256: 66fe51d70891005923b3cc0b22e1044ab5537f00145a02ec63a46c1dba30d10f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OOXML document exhibits characteristics of malicious intent, including remote template injection and the embedding of an OLE object. These elements strongly suggest an attempt to exploit vulnerabilities and download a secondary payload from the identified URLs. The presence of these indicators points towards a spearphishing attachment delivery method.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://qrisni.me/VRaGpr?&methodology=shivering&quicksand=overt&quartz=instinctive&mat=recondite&uncle=busy&batter=gentle&british=sordid&bub) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://qrisni.me/VRaGpr?&methodology=shivering&quicksand=overt&quartz=instinctive&mat=recondite&uncle=busy&batter=gentl
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://qrisni.me/VRaGpr?&methodology=shivering&quicksand=overt&quartz=instinctive&mat=recondite&uncle=busy&batter=gentle&british=sordid&bub
    • https://qrisni.me/VRaGpr?&methodology=shivering&quicksand=overt&quartz=instinctive&mat=recondite&uncle=busy&batter=gentle&british=sordid&bubble
    • https://qrisni.me/VRaGpr?&methodology=shivering&quicksand=overt&quartz=instinctive&mat=recondite&uncle=busy&batter=gentl
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2febcbbd65905b8761a9f0358daa4981930505c0eba2607bece25564557c30b8		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1596928 bytes
emf_00.emf
acf3f2aeff8abd7ac1fa635b5d9431da2b26a968f150a1160b3c80a1df0e33d9		 ooxml-emf OOXML EMF part: word/media/image1.emf 1504468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.