Office (OOXML) / .DOC malware analysis — malicious · 6feb98b93a4bbe22

MALICIOUS

Office (OOXML) / .DOC

152.9 KB Created: 2018-10-22 04:24:00 UTC Authoring application: Microsoft Office Word 12.0000

MD5: eb3717e1cf5fcf79aa9540152da7541b SHA-1: 7b8168461943c6bc63479068f5c3467098504c61 SHA-256: 6feb98b93a4bbe2279afe21a3dd3efc70ec7c132d26884f75a0b4ab12e675ecf

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The OOXML document contains heuristics indicating remote template injection and external relationships pointing to 'http://webinstaller.online/office/updates'. This suggests the document is designed to lure the user into downloading and executing a malicious payload from this URL, likely as part of a spearphishing campaign.

Heuristics 3

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (http://webinstaller.online/office/updates) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: http://webinstaller.online/office/updates
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://webinstaller.online/office/updates
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.