Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 72d9d3ae2786e119…

MALICIOUS

Office (OOXML) / .DOC

175.3 KB Created: 2023-06-11 02:07:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-10-04
MD5: 08b783d3c4ca8133e0f580f37fc4de46 SHA-1: a1f11b8d5dc20920b02e0afec9e60de10c6c9e7e SHA-256: 72d9d3ae2786e119e2e9608bae6937a0306b6d268ec8f9e1787de3c9bc5f4be0
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The OOXML document exhibits characteristics of malicious intent, specifically remote template injection and the presence of an embedded OLE object. The external relationship points to a suspicious URL, https://i8.ae/UUcYe, which is likely used to download and execute a secondary payload. The combination of these factors strongly suggests a malicious document designed for payload delivery.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://i8.ae/UUcYe) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://i8.ae/UUcYe
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://i8.ae/UUcYe
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c52df25578fb50b52c4f1a74b7e7ed86101558050e4ed4bd6fd611abd794c01d		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Macro-Enabled_Worksheet1.xlsm 11617 bytes
emf_00.emf
1ab8f5abd845ffd0c61a61bb09bfcf20569b80b4496bccb58c623753cf40485c		 ooxml-emf OOXML EMF part: word/media/image2.emf 4056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.