Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 7969f17ccdbdaf8d…

MALICIOUS

Office (OOXML) / .DOC

53.7 KB Created: 2020-09-29 09:26:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 6dcc1f7f0f3d678de7284e13592b0676 SHA-1: e4c5f67a6f6a3f4c82e39374e3a1f811575e494e SHA-256: 7969f17ccdbdaf8d3baffd32272d0f93361ae0e1551556d70a52a6c2535bbc5b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document exhibits characteristics of an advance-fee scam, including lottery winnings and parcel delivery requirements, as indicated by the 'SE_ADVANCE_FEE_SCAM_LURE' heuristic. It also contains an external relationship to a URL, likely used for tracking or as part of the lure. The document body text directly supports this by mentioning lottery prizes and the need to contact a lawyer for more information.

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: http://www.topclassactions.com/wp-content/uploads/2011/10/mega brands logo.jpg
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • http://www.topclassactions.com/wp-content/uploads/2011/10/mega%20brands%20logo.jpgIn document text (OOXML body / shared strings)
    • http://www.topclassactions.com/wp-content/uploads/2011/10/megaOOXML external relationship

Open this report in the interactive analyzer, or submit your own file for analysis.