Office (OOXML) / .DOC malware analysis — malicious · 7ddaacec625a6b4a

MALICIOUS

Office (OOXML) / .DOC

121.7 KB Created: 2023-09-02 09:41:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-09-18

MD5: 31a6fb8480dac03f0e2a0aaebbba41db SHA-1: 51f9c368f6a52d02a28f380cadab36f23c6d6373 SHA-256: 7ddaacec625a6b4a57aa10501bb03fb23fdfe9a8765557eaddab779c9db03919

82 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link

The OOXML document contains heuristics indicating remote template injection and an external relationship, pointing to the embedded URL https://mub.me/6Tyq. This suggests the document is designed to trick the user into fetching and executing a secondary malicious payload from this external source. An embedded OLE object was also detected, which could contain further malicious content.

Heuristics 4

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://mub.me/6Tyq) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: https://mub.me/6Tyq
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://mub.me/6Tyq

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `c600fab7b32c6c108dad586fce3e15cf04274d8c14c45cbf3783a290a447d6b0`	ooxml-ole-object	OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx	25979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.