Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 7d98dcc2596d38a7…

MALICIOUS

Office (OOXML) / .DOC

236.5 KB Created: 2024-11-25 08:51:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 9713b6820fa47781f76d48e02a8ec632 SHA-1: dcb3cacff365a015195a11f4683df28dd7e4ed51 SHA-256: 7d98dcc2596d38a7394b812c1304a1877d611d7ec82cfc53fd29bc45df779d92
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document contains heuristics indicating remote template injection and an external relationship, both pointing to the suspicious URL. This suggests the document is designed to lure the user into downloading and executing a secondary payload from the provided URL. The presence of embedded OLE objects further supports the likelihood of malicious content execution.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://ljg.cl/wxoL?&chance=watery&panic=groovy&jiffy=friendly&pigeon=venomous&range=wistful®ret) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://ljg.cl/wxoL?&chance=watery&panic=groovy&jiffy=friendly&pigeon=venomous&range=wistful®ret
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ljg.cl/wxoL?&chance=watery&panic=groovy&jiffy=friendly&pigeon=venomous&range=wistful®ret
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2685726b2ce30717a385708f46fd88c6131a5b8ceeac84aef693e39dea3f006c		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx 215179 bytes
ooxml_oleobject_01.bin
50ae4532433d7147600145d10f633a99eeb5408b3b903407810718b7894d99b2		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 26498 bytes
emf_00.emf
eb4e04ebf5d749f46631b903b8aed497fdae7a6fb6b143d12c2bd5ead43881e3		 ooxml-emf OOXML EMF part: word/media/image1.emf 52712 bytes
emf_01.emf
761b373ddabbd4190d2778697d3d10bc4a0e74ac234e7037d6caf46854b41c8e		 ooxml-emf OOXML EMF part: word/media/image2.emf 234700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.