Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 7a7d1e10f1961620…

MALICIOUS

Office (OOXML) / .DOC

123.7 KB Created: 2025-08-09 16:12:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 170d2b8c1c6f5f4f605bd7c915d04e3c SHA-1: a5ec8549c32ef29bdd49aab12a8787dc0a54194f SHA-256: 7a7d1e10f196162018e21a082e0377303d8fea77154f03d633c464e4f739e25c
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OOXML document contains an embedded OLE object with high-entropy data, which is a strong indicator of a malicious payload. An external relationship points to a suspicious URL that likely hosts a secondary stage. The presence of an embedded OLE object suggests a potential exploitation for client execution.

Heuristics 5

  • OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART
    The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https:/nicegooderfulmustvisitt____understandbestfeelingeredbestfeeling.pNNNg=@31productions.de/5bT5ZR
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/mainOOXML external relationship

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4979d95221350465971b2418aa4d47b72a87785536820275179a26560a64ebd9		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Word_97_-_2003_Document1.doc 128000 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
emf_00.emf
610ac39c1e60f068258b573a54900ca1465e34a13e87499709d25941f0e515d2		 ooxml-emf OOXML EMF part: word/media/image1.emf 108368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.