Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 7a8df8cee9617d19…

MALICIOUS

Office (OOXML)

23.2 KB First seen: 2021-05-29
MD5: d2387b18b22c241bbb9a8775ab1d5212 SHA-1: df2f2e83de78c458544f71f10531f0119314db48 SHA-256: 7a8df8cee9617d1912d92096c554deac0273fe841f7ed53a31a17302ca9a18f2
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The OOXML_ALTCHUNK_OPAQUE heuristic indicates that the document is attempting to import external content, which is a common technique for delivering malicious payloads. The presence of remote image beacons and external relationships pointing to the same domain further supports this. The imported content likely leads to the execution of a second-stage exploit or malware.

Heuristics 4

  • altChunk imports unrecognised content high OOXML_ALTCHUNK_OPAQUE
    altChunk relationship resolves to a packaged part whose content does not match a known chunk format. Treat with suspicion — altChunk is rarely used outside RTF/HTML smuggling.
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: https://www.doctricant.com/eur?id=ZWRkcWFxLzU0Z0pCTmhzeW5GRHJYd3JkSjd0YkN5UWtsYkVxNnZTVWlqRjVhdC9VcHd4T2IrVi9oY2tDVVAvOG
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.doctricant.com/eur?id=ZWRkcWFxLzU0Z0pCTmhzeW5GRHJYd3JkSjd0YkN5UWtsYkVxNnZTVWlqRjVhdC9VcHd4T2IrVi9oY2tDVVAvOGNvWTN2MzJ3SWJzMlREWkhoT2ZrRDg2Rm5xR2UzRHRCcHB2MXYwZGg2NjYvZGpCcVJTWCs0VVBJaVhnNDYxcVR4ajUyNkZrUnZjWXBVOG5LbG5Vbkl4NjlzY2l4M3JORTV4aDVlVGttekhxWXVnWWpJTENaeWtSQjh3eUdHaGVTNElmMVhQcF In document text (OOXML body / shared strings)
    • https://www.doctricant.com/eur?id=ZWRkcWFxLzU0Z0pCTmhzeW5GRHJYd3JkSjd0YkN5UWtsYkVxNnZTVWlqRjVhdC9VcHd4T2IrVi9oY2tDVVAvOGOOXML external relationship
    • https://www.doctricant.com/eur?id=ZWRkcWFxLzU0Z0pCTmhzeW5GRHJYd3JkSjd0YkN5UWtsYkVxNnZTVWlqRjVhdC9VcHd4T2IrVi9oY2tDVVAvOGNvWTN2MzJ3SWJzMlREWkhoT2ZrRDg2Rm5xR2UzRHRCcHB2MXYwZGg2NjYvZGpCcVJTWCs0VVBJaVhnNDOOXML external relationship
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)
    • http://purl.org/dc/terms/In document text (OOXML body / shared strings)
    • http://www.w3.org/2001/XMLSchema-instanceIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/metadata/core-propertiesIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocumentIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-propertiesIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.