Office (OOXML) / .DOC static analysis report

Static analysis result for SHA-256 6bb6167724a69693…

SUSPICIOUS

Office (OOXML) / .DOC

143.0 KB Created: 2021-09-10 17:43:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2021-09-27
MD5: 3977a7d03e913549a307c67f3647eaa3 SHA-1: eb0ed6d5419871bdb9c0865472a13f957995eaff SHA-256: 6bb6167724a69693fa01e4f920810c7472c4d63e79e78591811b9dab57899cc7
30 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains external hyperlinks and a heuristic firing for a callback phishing lure, indicating a social engineering attempt. The document body presents a fake event invitation, likely to trick the user into calling a number for support or information, which is a common tactic in tech-support scams. No scripts were extracted from this sample, limiting the analysis of its execution behavior.

Heuristics 3

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • External hyperlinks (10) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 10 external hyperlinks — clickable URLs are stored as external relationships. First target: https://jpmorgan.metameetings.net/events/gemcc21/sessions/39177-cross-asset-class-panel-are-we-past-the-peak-for-the-global-economy-and-markets/webcast?gpu_only
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jpmm.com/research/disclosures Document hyperlink
    • https://www.jpmm.com/research/disclosuresDocument hyperlink
    • https://jpmorgan.metameetings.net/events/gemcc21/sessions/39177-cross-asset-class-panel-are-we-past-the-peak-for-the-global-economy-and-markets/webcast?gpu_only=true&kiosk=trueDocument hyperlink
    • https://jpmorgan.metameetings.net/events/gemcc21/sessions/39177-cross-asset-class-panel-are-we-past-the-peak-for-the-global-economy-and-markets/webcast?gpu_onlyDocument hyperlink
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://markets.jpmorgan.com/research/disclosuresDocument hyperlink
    • http://ns.adobe.com/xap/1.0/In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OOXML body / shared strings)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OOXML body / shared strings)
    • https://www.jpmorgan.com/pages/cookiesDocument hyperlink
    • https://www.jpmorgan.com/visit/jpmcpracticesDocument hyperlink
    • https://www.jpmorgan.com/visit/privacyDocument hyperlink
    • https://www.jpmorgan.com/Document hyperlink