Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 6a3446b8a47f0ab4…

MALICIOUS

Office (OOXML) / .DOC

180.5 KB Created: 2020-05-07 06:45:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: e7aa0237fc3db67a96ebd877806a2c88 SHA-1: 0ecc687d741c7b009c648ef0de0a5d47213f37ff SHA-256: 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file exhibits critical heuristic firings for remote template injection and external relationships, indicating an attempt to load external content. The ClamAV detection as 'Doc.Downloader.BLINDINGCAN0-9448424-0' strongly suggests a downloader functionality. The primary IOC is the URL associated with the remote template injection, which is likely used to fetch and execute a secondary payload.

Heuristics 4

  • ClamAV: Doc.Downloader.BLINDINGCAN0-9448424-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.BLINDINGCAN0-9448424-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://www.anca-aste.it/uploads/form/boeing_jd_t034519.jpg) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://www.anca-aste.it/uploads/form/boeing_jd_t034519.jpg
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.anca-aste.it/uploads/form/boeing_jd_t034519.jpg
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.